On Tue, 22 Jun 2010, ratheesh k wrote: > >> On Tue, Jun 22, 2010 at 5:21 PM, Jozsef Kadlecsik > >> <kadlec@xxxxxxxxxxxxxxxxx> wrote: > > You allow clients on the LAN to connect outside and enable bidirectional > > connections. After that any side of the connection can issue correct H.323 > > protocol commands and trigger expectations in any direction. > > Could you please explain in detail ? How tcp+syn packets comes from > wan side and hit ip_conntrack_in () ? You have got these rules: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i lan0 -o wan0 -j ACCEPT iptables -A FORWARD -j DROP which I break up into the following ones: 1. iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT 2. iptables -A FORWARD -m state --state RELATED -j ACCEPT 3. iptables -A FORWARD -i lan0 -o wan0 -j ACCEPT 4. iptables -A FORWARD -j DROP plus an application helper loaded in, in this example FTP: - your client send a SYN packet to an FTP server: allowed by rule 3. - server answers: allowed by rule 1. - client-server connection goes on: allowed by rule 1. - client wants to initiate an active FTP connection: allowed by rule 1 - and intercepted by the FTP helper, which creates an expectation: connection initiated from the server to the client - server sends the SYN packet of the active connection (from wan to lan): allowed by rule 2. - client answers it: allowed by rule 1. - ... Technically the same happens with H.323, except that that is a more complex protocol. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
