Re: Another way of doing? --state NEW -j DROP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Anno domini 2008 Sylvan Andrew - NIDS scripsit:

Hi!

>  I am sure this might be an easy answer for someone. Could you please
> enlighten me ?

Let's see. :)

> I am using the rule below to drop any inbound connections into my .0.3
> Class which by default allows any Outbound connections. Plus if the
> connection is already established than those outside connections are ok
> as well.

> iptables -A INPUT -d 192.168.3.0/24 -m state --state NEW -j DROP

> However I am now using a router that doesn't support the -m state
> --state NEW rule.(crappy GUI thing) :-( Could someone please tell me another way using
> iptables to drop any new inbound connections but allow everything else
> outbound and the established connection replys to get back into the .0.3
> Class ? What is the most secure/easiest way ?

So you have to input all your rules via a GUI which does not acceppt
'--state NEW' right?
Asuming yes and the you catched all '--state ESTABLISHED,RELATED'
packet which are/could be answer packets to outbound connections, how
about just leaving '--state NEW' out and DROP'ing all packets
remaining? Obviously after all rules which should accept things.

Nearby:
 DROP'ing unwanted packets IMO is rather bad behavior as it makes
 debugging (possible) network problems a lot harder. If you just
 REJECT packets you don't want (with a appropriate limit) everybody
 knows he is not welcome. So IMO it would be nicer to use
 '-j REJECT --reject-with icmp-admin-prohibited'.

HTH
Ciao
Max
-- 
	Follow the white penguin.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux