On Thu, Jun 27, 2002 at 12:14:18AM -0700, Christian Seberino wrote: > > Reverse nat for replying packets is automatic, therefore replies get > > destination natted when they come back in. > > This scares me. So you are saying that there are "implicit" NAT > rules for "replying packets" that are immune to iptables DROP rules?!
NO. You filter in the filter table's INPUT, OUTPUT, and FORWARD chains. You can filter ANY packet there. The NAT action (i.e. appropriate modification of IP addresses and ports) is what happens automatically for the reverse direction - and that is absolutely NECCESSARY for NAT to work. It's still up to you to filter each packet after modifications have been applied. > If a packet is part of an ESTABLISHED tcp connection then it > can by pass an "SSH only" firewall?!?? If you have an indiscriminate ESTABLISHED/ACCEPT rule, and you did permit the creation of the connection in the first place, then yes, that's the case. It's all up to your own ruleset. A packet cannot become part of an ESTABLISHED tcp connection if you do not permit an earlier packet of the same connection to pass. Please, Christian, tone down a bit, take a walk, take a deep breath, and consider that we are not idiots. You don't yet know the full picture, and painting your horrors onto your half-understanding will just cause stress here, and make you progress more slowly. Finally, please learn how to do test setups, and try out your suspicions before whining about them publicly. It is very hard to guess from your writing so far what exactly it is that you fear. If you progress by first testing, you can describe your test setup here in detail, and we can respond much more pointedly. thanks for listening Patrick
