On Tue, April 25, 2006 10:45, THIEBAUD Christophe ROSI/DPS wrote: > Hi, > > I have a question about NetFilter using. > > Here a part of my configuration : > ... > iptables -A INPUT -m state --state NEW -j LOG --log-prefix "NEW SSH : " Your logging rule is wrong. This is not NEW SSH. This is NEW SSH: $ipt -A INPUT -m state --state NEW -p tcp --dport 22 \ -j LOG --log-prefix "NEW SSH : " > iptables -A INPUT -m state --state ESTABLISHED -j LOG --log-prefix > "ESTABLISHED SSH : " This rule is not ESTABLISHED SSH. Add "-p tcp --dport 22" to the rule. > iptables -A INPUT -d $IPADDR_ADMIN -p tcp --dport 22 -m state --state > NEW,ESTABLISHED -j ACCEPT What is $IPADDR_ADMIN ? > iptables -A OUTPUT -s $IPADDR_ADMIN -p tcp --sport > 22 -m state --state ESTABLISHED -j ACCEPT ... What is $IPADDR_ADMIN ? IF $IPADDR_ADMIN is the IP address of your admin workstation, you have reversed the -d and -s parameters in both rules above. > When I send this kind of packet (avec Ftester tools) : > > 1 - 10.170.225.0:1025 > 10.64.19.212:22 AP TCP 0 > > I have this trace : > > Apr 25 09:46:39 unzs148 kernel: NEW SSH input : IN=eth0 OUT= > MAC=00:0d:60:9a:30:9a:00:0d:60:d5:1a:f0:08:00 SRC=10.170.225.0 > DST=10.64.19.212 LEN=55 TOS=0x00 PREC=0x00 TTL=200 ID=1 DF PROTO=TCP SPT=1025 > DPT=22 WINDOW=65535 RES=0x00 ACK PSH URGP=0 > > And the packet have passed the FW !!! > > The FW see the packet as a "new connection" (state NEW), and I have never > send packek with SYN flag !!! Your logging will give a false result because it logs MUCH more than (I think) you want to. And, again, if my presumption is correct, I think you have reversed -d and -s in the INPUT and OUTPUT chain. In the INPUT chain, you want to accept with *source ip* (-s) and in the OUTPUT chain, you want to accept with *destination ip* (-d). Gr, Rob
