On Tue, Jun 22, 2010 at 6:30 PM, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > > Technically the same happens with H.323, except that that is a more > complex protocol. > This is perfectly fine . Suppose ftp client is on wan side and want to establish a connection to a server sitting on lan side . what will happen ? . This is my question . Will this work in case of H323 ? Thanks, ratheesh On Tue, Jun 22, 2010 at 6:30 PM, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > On Tue, 22 Jun 2010, ratheesh k wrote: > >> >> On Tue, Jun 22, 2010 at 5:21 PM, Jozsef Kadlecsik >> >> <kadlec@xxxxxxxxxxxxxxxxx> wrote: >> > You allow clients on the LAN to connect outside and enable bidirectional >> > connections. After that any side of the connection can issue correct H.323 >> > protocol commands and trigger expectations in any direction. >> >> Could you please explain in detail ? How tcp+syn packets comes from >> wan side and hit ip_conntrack_in () ? > > You have got these rules: > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i lan0 -o wan0 -j ACCEPT > iptables -A FORWARD -j DROP > > which I break up into the following ones: > > 1. iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT > 2. iptables -A FORWARD -m state --state RELATED -j ACCEPT > 3. iptables -A FORWARD -i lan0 -o wan0 -j ACCEPT > 4. iptables -A FORWARD -j DROP > > plus an application helper loaded in, in this example FTP: > > - your client send a SYN packet to an FTP server: allowed by rule 3. > - server answers: allowed by rule 1. > - client-server connection goes on: allowed by rule 1. > - client wants to initiate an active FTP connection: allowed by rule 1 > - and intercepted by the FTP helper, which creates an expectation: > connection initiated from the server to the client > - server sends the SYN packet of the active connection (from wan to lan): > allowed by rule 2. > - client answers it: allowed by rule 1. > - ... > > Technically the same happens with H.323, except that that is a more > complex protocol. > > Best regards, > Jozsef > - > E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
