On Wed, Mar 20, 2002 at 07:19:57AM +0100, [EMAIL PROTECTED] wrote: > hello, > > i saw several information about netfilter provided by you. > i would like to get a netfilter module that implements the "trigger > ports" that many routers like zyxel implement. that means > packets going out a nat'ed network to some ranges of ports > automatically allow the adressed ip adresses to establish > connections to specified ports of the originally issuing machine/ip.
Hi, this sounds interesting. We're definitely interested in stuff like this. However, may I suggest one improvement (which is also going to split development in two easier parts)? 1) implement the functionality for connection tracking (without nat) 2) add nat support later on. > first, do you know a module that already provides exactly this? No. > second, if not, what source (p-o-m) do you know that matches > the closest to start off? that means has many of the functionalities > i need, but does not implement exactly what i need. What you will do is a combination of a conntrack helper (+ nat helper) with an iptables target. The iptables target (called from the 'mangle' table) would enale you to use rules like: iptables -A mangle -m state --state NEW -p tcp --dport 21 -j EXPECT --expect-from-dest-ip --expect-from-port 20 (the above rule would be some very basic ftp conntrack helper). The target data (-j EXPECT --expect-from-dest-ip --expect-from-port 20) would be encoded by some libipt_EXPECT.c useerspace module. The ipt_EXPECT.c kernel module would than as soon as a packet hits the rule (the rules' target() function is called) call ip_conntrack_expect_related() with the apropriate tuple/mask. See ip_conntrack_irc.c for probably the most easy-to-read code which calls ip_conntrack_expect_related(). > i think such an extension could solve lots of problems regarding > e.g. real audio etc and firewalling/nat'ing. yes, but due to lack of protocol parsing it is _very_ insecure. And: You would not be able to add static mappings. It is one expectation, for one related connection. So with the above example you would produce an ftp helper which allows you to download exactly one file. However, this could be 'fixed' in a way like leaving the '-m state --state NEW' out of the iptables command above. Then every packet would automatically cause ip_conntrack_expect() to be called, thus creating or overwriting the expectation. It's not nice, but it works. > thanks for your help in advance! Cc'ed to netfilter-devel, maybe somebody else has comments :) > -gregor- > GMX - Die Kommunikationsplattform im Internet. -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
