Emmanuel Fleury wrote: > For example, you can make up the following ruleset: > > o DENY SYN from outside -> inside > o Allow NEW, ESTABLISHED, RELATED > > > +-----------+ > +--------+ +--+ | Hidden Net| > > |Internet|----|FW|----| w/o NAT | > > +--------+ +--+ +-----------+ > > > On this configuration, you allow all the computers of your hidden net > to have their own IP address and you disallow any sort of scan from > outside. You can even imagine to have a web server somewhere in your > hidden network (you just have to add as first rule that you allow > all the traffic on the port 80 to this precise IP address). > > > This configuration can't be done with Netfilter because you are doing > what we could call "connection tracking" and not "stateful inspection".
This configuration can be done just fine with iptables as demonstrated in my earlier message, but here we go again (but slightly different): # Allow existing connections iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow hidden net to initiate new connections (including connection pickup) iptables -A FORWARD -i eth0 -j ACCEPT # Drop anything else iptables -A FORWARD -j DROP And is considerably more secure design than your proposed use of NEW above if you include other protocols than TCP into the mix, plus has the added bonus that connection pickup will allow some connections from the hidden network to be picked up after a reboot. Note: The external network is NOT allowed to cause connection pickup, only packets send by your hidden network will. Regards Henrik
