|
Linux Forum Index » Linux Networking » iptables port forwarding for specific source addresses...
Page 1 of 2 Goto page 1, 2 Next
|
| Author |
Message |
| ynotssor... |
 Posted: Thu Aug 21, 2008 2:47 pm |
|
|
|
Guest
|
We're seeking help please with finding examples or tutorials on the
following, which must be quite common: we wish to accept connections from
external specific IP address ranges to a certain port on an internal
machine.
What syntax is required to allow a machine w.x.0.0/16 to connect to our
external iptables eth1 = a.b.c.126:8317 (e.g. "security by obscurity") and
be forwarded to 10.0.0.9:443 where other AUTH security checks exist, please?
The iptables firewall currently drops all but RELATED, ESTABLISHED on
external eth1 and logs all unsolicited packets (we have that under control,
thanks):
# Generated by iptables-save v1.3.5 on Sun Mar 2 18:01:01 2008
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [eth1:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
UNSOLICITED:
COMMIT
*mangle
:PREROUTING ACCEPT [1471:303908]
:INPUT ACCEPT [636:240607]
:FORWARD ACCEPT [832:63181]
:OUTPUT ACCEPT [437:39285]
:POSTROUTING ACCEPT [1269:102466]
COMMIT
*nat
:PREROUTING ACCEPT [203:14045]
:POSTROUTING ACCEPT [192:12653]
:OUTPUT ACCEPT [20:1217]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT |
|
|
| Back to top |
|
| Felix Tiede... |
| Posted: Thu Aug 21, 2008 5:17 pm |
|
|
|
Guest
|
ynotssor wrote:
Quote: We're seeking help please with finding examples or tutorials on the
following, which must be quite common: we wish to accept connections from
external specific IP address ranges to a certain port on an internal
machine.
What syntax is required to allow a machine w.x.0.0/16 to connect to our
external iptables eth1 = a.b.c.126:8317 (e.g. "security by obscurity") and
be forwarded to 10.0.0.9:443 where other AUTH security checks exist,
please?
Two parts are required here - one for the filter to let packets come in:
*filter
....
-A INPUT -i eth1 -s w.x.0.0/16 --dport 8317 -m state --state NEW -j ACCEPT
....
COMMIT
and one to nat this connection to the internal machine and port:
*nat
....
-A PREROUTING -i eth1 -s w.x.0.0/16 --dport 8317 -j DNAT --to-destination
10.0.0.9:443
....
COMMIT
On a side note: I guess this is about HTTPS on TCP, so you could add "-p
tcp --syn" to both rules right behind "--dport 8317". That would filter out
unwanted UDP traffic and TCP packets commonly not used to establish
connections.
Hope it helps,
Felix Tiede |
|
|
| Back to top |
|
| ynotssor... |
| Posted: Fri Aug 22, 2008 12:41 am |
|
|
|
Guest
|
In news:6h67rnFjhbu5U1 at (no spam) mid.individual.net,
Felix Tiede <f.tiede at (no spam) web.de> typed:
Quote: What syntax is required to allow a machine w.x.0.0/16 to connect to
our external iptables eth1 = a.b.c.126:8317 (e.g. "security by
obscurity") and be forwarded to 10.0.0.9:443 where other AUTH
security checks exist, please?
Two parts are required here - one for the filter to let packets come
in: *filter
...
-A INPUT -i eth1 -s w.x.0.0/16 --dport 8317 -m state --state NEW -j
ACCEPT ...
COMMIT
and one to nat this connection to the internal machine and port:
*nat
...
-A PREROUTING -i eth1 -s w.x.0.0/16 --dport 8317 -j DNAT
--to-destination
10.0.0.9:443
...
COMMIT
On a side note: I guess this is about HTTPS on TCP, so you could add
"-p tcp --syn" to both rules right behind "--dport 8317". That would
filter out unwanted UDP traffic and TCP packets commonly not used to
establish connections.
Thank you so much. Per your assistance I currently have:
# cat /etc/sysconfig/iptables
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [eth1:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -s w.x.0.0/16 --dport 8317 -p tcp --syn -m state --state
NEW -j ACCEPT
-A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
UNSOLICITED:
COMMIT
*mangle
:PREROUTING ACCEPT [1471:303908]
:INPUT ACCEPT [636:240607]
:FORWARD ACCEPT [832:63181]
:OUTPUT ACCEPT [437:39285]
:POSTROUTING ACCEPT [1269:102466]
COMMIT
*nat
-A PREROUTING -i eth1 -s w.x.0.0/16 --dport 8317 -p tcp --syn -j
DNAT --to-destination 10.0.0.9:443
:PREROUTING ACCEPT [203:14045]
:POSTROUTING ACCEPT [192:12653]
:OUTPUT ACCEPT [20:1217]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# /etc/init.d/iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: nat mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore v1.3.5: Unknown arg
`--dport'
Error occurred at line: 7
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[FAILED]
# iptables --version
iptables v1.3.5 |
|
|
| Back to top |
|
| ... |
| Posted: Fri Aug 22, 2008 1:30 am |
|
|
|
Guest
|
Felix Tiede <f.tiede at (no spam) web.de> wrote:
Quote: ynotssor wrote:
Two parts are required here - one for the filter to let packets come in:
*filter
...
-A INPUT -i eth1 -s w.x.0.0/16 --dport 8317 -m state --state NEW -j ACCEPT
If I understodd the question right, 10.0.0.9 isn't on the firewall
itself. So you probably want:
-A FORWARD -i eth1 -s x.y.0.0./16 -d 10.0.0.9/32 -p tcp --dport 443 -m
state --state NEW -j ACCEPT
Quote: and one to nat this connection to the internal machine and port:
*nat
...
-A PREROUTING -i eth1 -s w.x.0.0/16 --dport 8317 -j DNAT --to-destination
10.0.0.9:443
Just a small improvement, but accurateness adds security.
-A PREROUTING -i eth1 -s x.y.0.0/16 -d a.b.c.d/32 -p tcp --dport 8317 -j
DNAT --to-destination 10.0.0.9:443
Quote: On a side note: I guess this is about HTTPS on TCP, so you could add "-p
tcp --syn" to both rules right behind "--dport 8317".
Why adding --syn? The filter rule is stateful.
Cheers, Harry |
|
|
| Back to top |
|
| Felix Tiede... |
| Posted: Fri Aug 22, 2008 1:35 am |
|
|
|
Guest
|
ynotssor wrote:
[snip]
Quote: Thank you so much. Per your assistance I currently have:
# cat /etc/sysconfig/iptables
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [eth1:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
Hint: Put this rule behind the next so you don't waste time on checking
packets belonging to an already established connection.
Quote: -A INPUT -i eth1 -s w.x.0.0/16 --dport 8317 -p tcp --syn -m state --state
NEW -j ACCEPT
-A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
UNSOLICITED:
COMMIT
*mangle
:PREROUTING ACCEPT [1471:303908]
:INPUT ACCEPT [636:240607]
:FORWARD ACCEPT [832:63181]
:OUTPUT ACCEPT [437:39285]
:POSTROUTING ACCEPT [1269:102466]
COMMIT
*nat
This should go after ":OUTPUT ACCEPT" but before "-A POSTROUTING ..."
-A PREROUTING -i eth1 -s w.x.0.0/16 --dport 8317 -p tcp --syn -j
DNAT --to-destination 10.0.0.9:443
:PREROUTING ACCEPT [203:14045]
:POSTROUTING ACCEPT [192:12653]
:OUTPUT ACCEPT [20:1217]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# /etc/init.d/iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: nat mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore v1.3.5: Unknown arg
`--dport'
Error occurred at line: 7
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.
[FAILED]
Ah yes, sometimes I forget about the importance of argument order for
iptables. And since --dport is protocol dependant (not every protocol
filtered by iptables has source and or destination port), it is necessary
to specify "-p tcp" _before_ "--dport". That should do the trick.
For readability of the script you can still stick "-p tcp" and "--syn"
together, and for even more so, put "-p tcp --syn" before "-s w.x.0.0/16".
HTH,
Felix Tiede |
|
|
| Back to top |
|
| Felix Tiede... |
| Posted: Fri Aug 22, 2008 1:41 am |
|
|
|
Guest
|
harry.potter at (no spam) fredastaire.ch wrote:
Quote: Felix Tiede <f.tiede at (no spam) web.de> wrote:
ynotssor wrote:
Two parts are required here - one for the filter to let packets come in:
*filter
...
-A INPUT -i eth1 -s w.x.0.0/16 --dport 8317 -m state --state NEW -j
ACCEPT
If I understodd the question right, 10.0.0.9 isn't on the firewall
itself. So you probably want:
-A FORWARD -i eth1 -s x.y.0.0./16 -d 10.0.0.9/32 -p tcp --dport 443 -m
state --state NEW -j ACCEPT
My bad, yes, you're right.
Quote:
[snip]
On a side note: I guess this is about HTTPS on TCP, so you could add "-p
tcp --syn" to both rules right behind "--dport 8317".
Why adding --syn? The filter rule is stateful.
Stateful inspection costs time by checking tables. --syn is information the
packet already carries with itself and by checking it first unwanted
traffic will be filtered before costly stateful inspection - that is, if
order of checking (and not checking anymore after first failure) is as
specified on commandline...
Felix Tiede |
|
|
| Back to top |
|
| ynotssor... |
| Posted: Fri Aug 22, 2008 3:51 am |
|
|
|
Guest
|
In news:6h7517FjhtbbU1 at (no spam) mid.individual.net,
Felix Tiede <f.tiede at (no spam) web.de> typed:
Quote: Ah yes, sometimes I forget about the importance of argument order for
iptables. And since --dport is protocol dependant (not every protocol
filtered by iptables has source and or destination port), it is
necessary to specify "-p tcp" _before_ "--dport". That should do the
trick.
For readability of the script you can still stick "-p tcp" and "--syn"
together, and for even more so, put "-p tcp --syn" before "-s
w.x.0.0/16".
Thank you Mssrs. Tiede and Potter at (no spam) . I now have:
# cat /etc/sysconfig/iptables
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [eth1:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p tcp --syn -s w.x.0.0/16 -d 10.0.0.9/32 --dport 443 -m
state --state NEW -j ACCEPT
-A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
UNSOLICITED:
COMMIT
*mangle
:PREROUTING ACCEPT [1471:303908]
:INPUT ACCEPT [636:240607]
:FORWARD ACCEPT [832:63181]
:OUTPUT ACCEPT [437:39285]
:POSTROUTING ACCEPT [1269:102466]
COMMIT
*nat
:PREROUTING ACCEPT [203:14045]
:POSTROUTING ACCEPT [192:12653]
:OUTPUT ACCEPT [20:1217]
-A PREROUTING -i eth1 -p tcp --syn -s w.x.0.0/16 -d 10.0.0.9/32 --dport
8317 -j DNAT --to-destination 10.0.0.9:443
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# /etc/init.d/iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: nat mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_nat_ftp ip_conntrac[ OK ]s_ns
Yet the firewall is still dropping the packets so that the 10.0.0.9:443
connection is failing. Using a simple script I wrote to examine the log
file, we see:
# probe_report UNSOLICITED
Address Packets Bytes Protocol(s) Dest.Port(s)
w.x.f.h 2 88 TCP 8317
Totals 2 0.1KB for search pattern "UNSOLICITED" |
|
|
| Back to top |
|
| Eric... |
| Posted: Fri Aug 22, 2008 8:02 am |
|
|
|
Guest
|
ynotssor wrote:
Quote: We're seeking help please with finding examples or tutorials on the
following, which must be quite common: we wish to accept connections from
external specific IP address ranges to a certain port on an internal
machine.
What syntax is required to allow a machine w.x.0.0/16 to connect to our
external iptables eth1 = a.b.c.126:8317 (e.g. "security by obscurity") and
be forwarded to 10.0.0.9:443 where other AUTH security checks exist,
please?
The iptables firewall currently drops all but RELATED, ESTABLISHED on
external eth1 and logs all unsolicited packets (we have that under
control, thanks):
# Generated by iptables-save v1.3.5 on Sun Mar 2 18:01:01 2008
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [eth1:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
UNSOLICITED:
COMMIT
*mangle
:PREROUTING ACCEPT [1471:303908]
:INPUT ACCEPT [636:240607]
:FORWARD ACCEPT [832:63181]
:OUTPUT ACCEPT [437:39285]
:POSTROUTING ACCEPT [1269:102466]
COMMIT
*nat
:PREROUTING ACCEPT [203:14045]
:POSTROUTING ACCEPT [192:12653]
:OUTPUT ACCEPT [20:1217]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
I think you are saying you want to route incoming traffic arriving on eth1
from network a.b.c.d to eth0 which is network 10.0.0.X but only from a
single IP on the a.b.c.d network
Something like this (may not be exactly right):
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s a.b.c.126 --sport 8317 -d
10.0.0.9 --dport 443 -j ACCEPT
Eric |
|
|
| Back to top |
|
| ynotssor... |
| Posted: Fri Aug 22, 2008 8:28 am |
|
|
|
Guest
|
In news:H_2dndwxLaRLJTPVnZ2dnUVZ_gKdnZ2d at (no spam) comcast.com,
Eric <Eric at (no spam) nomail.afraid.org> typed:
Quote: I think you are saying you want to route incoming traffic arriving on
eth1 from network a.b.c.d to eth0 which is network 10.0.0.X but only
from a single IP on the a.b.c.d network
Something like this (may not be exactly right):
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s a.b.c.126 --sport 8317
-d 10.0.0.9 --dport 443 -j ACCEPT
Thanks you, packets are still being dropped, not FORWARDed, with:
# cat /etc/sysconfig/iptables
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [eth1:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
#-A FORWARD -i eth1 -p tcp --syn -s 216.178.50.0/24 -d 10.0.0.9/32 --dport
443 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp --syn -s 216.178.50.0/24 --sport 8317 -d
10.0.0.9 --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
UNSOLICITED:
COMMIT
*mangle
:PREROUTING ACCEPT [1471:303908]
:INPUT ACCEPT [636:240607]
:FORWARD ACCEPT [832:63181]
:OUTPUT ACCEPT [437:39285]
:POSTROUTING ACCEPT [1269:102466]
COMMIT
*nat
:PREROUTING ACCEPT [203:14045]
:POSTROUTING ACCEPT [192:12653]
:OUTPUT ACCEPT [20:1217]
-A PREROUTING -i eth1 -p tcp --syn -s 216.178.50.0/24 -d 10.0.0.9/32 --dport
8317 -j DNAT --to-destination 10.0.0.9:443
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
The "--sport 8317" doesn't really make sense though, as we don't know what
source port on the client machine the browser is communicating through. |
|
|
| Back to top |
|
| Felix Tiede... |
| Posted: Fri Aug 22, 2008 8:47 am |
|
|
|
Guest
|
ynotssor wrote:
Quote: In news:6h7517FjhtbbU1 at (no spam) mid.individual.net,
Felix Tiede <f.tiede at (no spam) web.de> typed:
Ah yes, sometimes I forget about the importance of argument order for
iptables. And since --dport is protocol dependant (not every protocol
filtered by iptables has source and or destination port), it is
necessary to specify "-p tcp" _before_ "--dport". That should do the
trick.
For readability of the script you can still stick "-p tcp" and "--syn"
together, and for even more so, put "-p tcp --syn" before "-s
w.x.0.0/16".
Thank you Mssrs. Tiede and Potter at (no spam) . I now have:
# cat /etc/sysconfig/iptables
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [eth1:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p tcp --syn -s w.x.0.0/16 -d 10.0.0.9/32 --dport 443
-m state --state NEW -j ACCEPT
-A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
UNSOLICITED:
COMMIT
*mangle
:PREROUTING ACCEPT [1471:303908]
:INPUT ACCEPT [636:240607]
:FORWARD ACCEPT [832:63181]
:OUTPUT ACCEPT [437:39285]
:POSTROUTING ACCEPT [1269:102466]
COMMIT
*nat
:PREROUTING ACCEPT [203:14045]
:POSTROUTING ACCEPT [192:12653]
:OUTPUT ACCEPT [20:1217]
-A PREROUTING -i eth1 -p tcp --syn -s w.x.0.0/16 -d 10.0.0.9/32 --dport
8317 -j DNAT --to-destination 10.0.0.9:443
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
Leave out the "-d 10.0.0.9/32" from the PREROUTING rule. In that state of
natting, iptables doesn't know the final address (which is going to be
changed to 10.0.0.9) so it doesn't nat the packet and the FORWARD chain
won't match.
Felix Tiede |
|
|
| Back to top |
|
| ynotssor... |
| Posted: Fri Aug 22, 2008 10:09 am |
|
|
|
Guest
|
In news:6h7uauFjo1mrU1 at (no spam) mid.individual.net,
Felix Tiede <f.tiede at (no spam) web.de> typed:
Quote: Leave out the "-d 10.0.0.9/32" from the PREROUTING rule. In that
state of natting, iptables doesn't know the final address (which is
going to be changed to 10.0.0.9) so it doesn't nat the packet and the
FORWARD chain won't match.
But the incoming packets are dropped, not FORWARDed, and are not nat'd ...
they don't pass any INPUT criteria and are dropped by default, apparently.
With everybody's, and particularly your assistance, the problem is solved
using the following:
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [eth1:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp --syn -s w.x.0.0/16 --dport 8317 -m state --state
NEW -j ACCEPT
-A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
UNSOLICITED:
COMMIT
*mangle
:PREROUTING ACCEPT [1471:303908]
:INPUT ACCEPT [636:240607]
:FORWARD ACCEPT [832:63181]
:OUTPUT ACCEPT [437:39285]
:POSTROUTING ACCEPT [1269:102466]
COMMIT
*nat
:PREROUTING ACCEPT [203:14045]
:POSTROUTING ACCEPT [192:12653]
:OUTPUT ACCEPT [20:1217]
-A PREROUTING -i eth1 -p tcp --syn -s w.x.0.0/16 --dport 8317 -j
DNAT --to-destination 10.0.0.9:443
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
Thank you so much for your help. |
|
|
| Back to top |
|
| Pascal Hambourg... |
| Posted: Fri Aug 22, 2008 7:57 pm |
|
|
|
Guest
|
Hello,
ynotssor a écrit :
Quote:
*filter
:FORWARD ACCEPT [0:0]
How can you say you are concerned with security ? That ruleset does not
do any filtering on forwarded traffic !
Quote: -A INPUT -i eth1 -p tcp --syn -s w.x.0.0/16 --dport 8317 -m state --state
As already said, this rule is totally useless. Forwarded traffic doesn't
go through the INPUT chain. |
|
|
| Back to top |
|
| Pascal Hambourg... |
| Posted: Fri Aug 22, 2008 8:01 pm |
|
|
|
Guest
|
harry.potter at (no spam) fredastaire.ch a écrit :
Quote:
If I understodd the question right, 10.0.0.9 isn't on the firewall
itself. So you probably want:
-A FORWARD -i eth1 -s x.y.0.0./16 -d 10.0.0.9/32 -p tcp --dport 443 -m
state --state NEW -j ACCEPT
This is not needed, as the FORWARD chain is already wide open...
Besides, this rule alone would not be enough because there are no
provisions to allow ESTABLISHED traffic in the FORWARD chain anyway.
Quote: -A PREROUTING -i eth1 -s w.x.0.0/16 --dport 8317 -j DNAT --to-destination
10.0.0.9:443
Just a small improvement, but accurateness adds security.
-A PREROUTING -i eth1 -s x.y.0.0/16 -d a.b.c.d/32 -p tcp --dport 8317 -j
DNAT --to-destination 10.0.0.9:443
What kind of real security does it add ? |
|
|
| Back to top |
|
| Pascal Hambourg... |
| Posted: Fri Aug 22, 2008 8:12 pm |
|
|
|
Guest
|
Felix Tiede a écrit :
Quote: harry.potter at (no spam) fredastaire.ch wrote:
On a side note: I guess this is about HTTPS on TCP, so you could add "-p
tcp --syn" to both rules right behind "--dport 8317".
Why adding --syn? The filter rule is stateful.
--syn has nothing to do with connection state. Don't assume --syn = NEW.
--syn checks the flags in the TCP header. '-m state' checks the state
that was assigned to the packet by the connection tracking.
Quote: Stateful inspection costs time by checking tables. --syn is information the
packet already carries with itself and by checking it first unwanted
traffic will be filtered before costly stateful inspection - that is, if
order of checking (and not checking anymore after first failure) is as
specified on commandline...
You're mistaken. The stateful inspection happens anyway when the
conntrack module is loaded, usually by creating a rule containing
state-related matches or targets or NAT. The 'state' match adds very
little cost, it just checks what state was assigned to the packet. So
use it, abuse it. |
|
|
| Back to top |
|
| jayjwa... |
| Posted: Sun Aug 24, 2008 3:42 pm |
|
|
|
Guest
|
|
| Back to top |
|
| |
