Question about Netfilter and Connection tracking

Sun, 02 Sep 2001 20:12:30 -0500 

I sent this e-mail on the firewall list but got no replys, maybe some of the 
people here on the security lists can offer me some insight?

I would greatly appreciate it, 

Stef

----------  Forwarded Message  ----------
Subject: Question about Netfilter and Connection tracking
Date: Thu, 30 Aug 2001 04:40:35 -0600
From: Stefan Srdic <[EMAIL PROTECTED]>
To: [email protected]


Hey guys,

        I'm  trying to incorparate connection tracking into my current IPTables
script.

I have created several user-defined chains to grab datagrams from the INPUT
and OUTPUT chains. From there I specifically allow what kind of communication
is allowed on an interface and service basis and then jump un-wanted
communication into a chain which logs and then drops datagrams.

Is connection tracking needed on each individual user-defined chain or would
connection tracking only be required on the INPUT chain?

EX:
#!/bin/sh
# flush all rules and erase all user defined chains on all tables
for t in filter nat mangle; do
    iptables -t $t -F
    iptables -t $t -X
done

# Set the default policies on the filter table.
for p in INPUT FORWARD OUTPUT; do
    iptables -t filter -P $p DROP
done

# Initiate Netfilter connection tracking
iptables -A INPUT -i $EXTIFACE -m state \
    --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ! $EXTIFACE -m state \
    --state NEW -j ACCEPT
iptables -A INPUT -i $EXTIFACE -m state \
    --state NEW,INVALID -j DROP

# ICMP filters
# create a chain for ICMP datagrams
iptables -N ICMP 2>/dev/null

# Divert all ICMP datagrams on all interfaces into the ICMP chain
iptables -A INPUT --protocol icmp -j ICMP
iptables -A OUTPUT --protocol icmp -j ICMP

# TCP filters
# create a chains TCP datagrams
iptables -N TCPIN 2>/dev/null

# Divert all TCP datagrams on all interfaces into the TCP chain
iptables -A INPUT--protocol tcp -j TCP
iptables -A OUTPUT --protocol tcp -j TCP

etc, etc......

Let's say that this script was complete, and it provided basic functionality
for my network while preventing un-wanted communication. Would connection
tracking still work after a datagram is passed from INPUT chain to the ICMP
or TCP chains?

        Thanks,


        Stef


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

-------------------------------------------------------

Reply via email to