On Friday 2008-04-04 09:32, Bhaskar wrote:
I have been thinking about this questions. The obvious answer I got is
SPI firewall understands the states of the packet flow
Security Parameter Index
Single Packet Inspection
Stateless Packet Inspection
Stateful Packet Inspection
...
FWIW PCMCIA!</sarcasm>
(I have no joy figuring out what all your acronyms, SPI and NW mean.)
1. iptables -A FORWARD -i eth0 -o eth1 -p tcp -m state --state
NEW,ESTABLISHED --dport 80 -j ACCEPT
2. iptabgles -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 53 -j
ACCEPT
3. iptables -A FORWARD -j LOG --log-prefix "Dropping Other Packets:"
4. iptables -A FORWARD -j DROP
1. iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
The intension is to allow HTTP Traffic to the internal network. With
the above setup I am not able to browse from PC connected in Protected
NW.
That is because -- despite the connection "association" being active --
you only allow http from eth0->eth1 but not the reverse direction.
After analyzing the Logs and added another 2 policies above Policy
Number 3:
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m state --state
NEW,ESTABLISHED --sport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p udp -m udp --sport 53 -j ACCEPT
After adding these policies I am able to browse. AFAIK, once an
association is created (first time when packet is passing through
netfilter), the associated traffic would flow and Policies are not
parsed for the verdict.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
