On 21-May-13 17:07, Nick Khamis wrote:
We recently moved our stateful firewall inside, and would like to strip down the firewall at our router connected to the outside world. The problem I am experiencing is getting things to work properly without connection tracking. I hope I am not in breach of mailing list rules however, a stripped down configuration is as follows:
<STRIP OBVIOUS THINGS I.E. IPTABLES, INTERFACES, LOOPBACK>
#echo -e " - Defined Chains" $IPTABLES -N TCP $IPTABLES -N UDP #echo -e " - Accepting SSH Traffic" $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP #echo -e " - Accepting input TCP and UDP traffic to open ports" $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP #echo -e " - Accepting output TCP and UDP traffic to open ports" $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP
<STRIP THE REST AND CONSIDER ALL REMAINING DROPPED/REJECTED>
Everything works fine with the REJECT rules commented out, but when included SSH access is blocked out. Not sure why, isn't the sequence correct (i.e., the ACCPET entries before the DROP and REJECT)? Also, any pointers or heads up when going stateless would be greatly appreciated.
I do not understand why you *want* to omit statefullness, but if you do, you have to take care of corresponding part of ip-traffic yourself. First, you'd better learn someting about "3-way handshaking". That's the way tcp/ip connection is opened. Shortly: 1. client sends to server tcp/ip packet with "syn" flag 2. server responds with "syn/ack" flags 3. client sends "ack" Now look at your rules: you covered only the first part with: $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP Where is OUTPUT rule for "syn/ack", and INPUT for "ack"? Nowhere, and because of that you can not open tcp-connection if drop/reject rules are in effect. But instead of playing with tcp-flags I strongly recommend to use statefull firewall, which takes care of this with one simple rule. Jarry -- _______________________________________________________________ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
