On Tuesday 08 June 2004 4:03 pm, Feizhou wrote:
> Antony Stone wrote:
> > On Tuesday 08 June 2004 10:42 am, Feizhou wrote:
> >>>2. /sbin/iptables -A INPUT -p tcp -m state --state
> >>>ESTABLISHED,RELATED -j ACCEPT
> >>
> >>Forget about this. It makes things easier yes but it is too slow if you
> >>come under attack...but then you put everything on one box seemly so I
> >>guess you don't get much traffic.
> >
> > How do you recommend dealing with reply packets instead?
>
> I would create multiple chains
>
> iptables -N tcp_packets and so on.
>
> So to avoid loading the connection tracking module, I would put rules to
> handle return packets in the proper chain.
>
> eg: iptables -A tcp_packets -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
That rule allows packets *to* port 80 - I was asking how you deal with *reply*
packets - the ones *from* port 80 on the remote server.
> Then i put tcp/udp/icmp packets to the proper chain
>
> eg: iptables -A INPUT -p tcp -j tcp_packets
>
> You could make a catch all for return packets like:
>
> iptables -A INPUT -p tcp ! --syn -j ACCEPT
You seem to be advocating not using the ESTABLISHED,RELATED match - which
would render the firewall stateless (like ipchains) instead of stateful.
That seems a backwards step to me - or have I misunderstood something?
Regards,
Antony.
--
In Heaven, the police are British, the chefs are Italian, the beer is Belgian,
the mechanics are German, the lovers are French, the entertainment is
American, and everything is organised by the Swiss.
In Hell, the police are German, the chefs are British, the beer is American,
the mechanics are French, the lovers are Swiss, the entertainment is Belgian,
and everything is organised by the Italians.
Please reply to the list;
please don't CC me.
