El vie, 19 de 11 de 2004 a las 10:31, Jochen Vogel escribiÃ: > hi, > > i have the following forwarding rule > > $IPT -A FORWARD -i $INT -o $EXT -m state --state NEW,ESTABLISHED,RELATED -j > QUEUE Here you are sending all this traffic to userspace, I suppose to snort-inline or similar program. You could use stateless rules because you are sending everything... > $IPT -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j > ACCEPT > And this rule does nothing, because all the traffic has been sent to userspace and then accepted or dropped, probably. > if i send an ACK with hping from INT to EXT it reaches the target system > > if i do > > $IPT -A FORWARD -i $INT -o $EXT -m state --state NEW -j ACCEPTLOG > $IPT -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED-j > ACCEPT Here you are logging and accepting all the new connections and accepting all the related conections. > > i can see the following > > Nov 19 12:05:20 snolin kernel: ACPT IN=eth0 OUT=ppp0 SRC=1.1.1.1 DST=2.2.2.2 > LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=12368 PROTO=TCP SPT=2618 DPT=63 > WINDOW=512 RES=0x00 ACK URGP=0 > So everything it's working as you have configured it. > did i have a false understanding from NEW or whats wrong > I don't know what you want to do exactly. > thx for help > jo -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
