|
We have a Linux NAT firewall in our office using a
2.4 kernel and iptables. All chains have DROP default
policies.
From what I read from the iptables docs, a packet
traverses only 1 chain when it reaches the box: it's only either the INPUT,
OUTPUT, or FORWARD chain [default]. So what I did was to set the
INPUT chain in such a way that the box itself couldn't surf the web. Same
with the OUTPUT chain. Only the FORWARD chain (ie transactions between the
internet and the internal network) is set to be able to do surfing and other
regular internet activities.
What puzzles me is that in the logfiles, iptables
seems to pick up on its INPUT chain packets from the internet coming from port
80, from legitimate hosts such as www.google.com, www.ateneo.net, lycos,... This happens
sporadically, and doesn't seem to affect anything on the internal network (we
can surf the web, download, etc.) But I am concerned whether the
circumstance mentioned above causes a slowdown in internet access.
Is this normal? Since only the workstations
from the internal network surf the web, iptables whould be able to determine
that the www responses belong to the FORWARD chain, not on the INPUT
chain. The only explanation I could think of is if the www server itself
tries to initiate a connection (SYN?) to our box.
Of course, I might just have missed something
really important...
Sorry about the longer than usual post, and
thanks!
Joon |
