On Mon, May 14, 2012 at 9:26 AM, Neal Murphy <neal.p.murphy@xxxxxxxxxxxx> wrote: > On Monday 14 May 2012 01:45:21 you wrote: > >> Ok, here they are. I want to allow connections from host 172.24.50.3 >> to one specific network only. > > As written, your rules > 1. Allow all packets for established conns and the first packet for related > conns to pass. > 2. Allow all packets for new conns from the host to pass > 3. Drop all other packets. This makes the first rule moot, because there > will be no established conns from other hosts. NEW packets are dropped, > thus there cannot be any established conns for a related connection to > be created. > But I suspect you already know your rules don't work right. :) > > I only looked at the rules in table 'filter'. Sorry Neal, but exists some things in your answer that I don't understand ... In line: > > To restrict that host to a particular LAN and allow other hosts through, these > rules in table 'filter': > -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -s 172.24.50.3/32 -m state --state NEW -j ACCEPT > -A FORWARD -j LOG --log-prefix "IPT FORWARD packet died: " > > should be: > -A FORWARD -s 172.24.50.3/32 -d a.b.c.d/netmask \ > -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT Why this rule??: > -A FORWARD -s a.b.c.d/netmask -d 172.24.50.3/32 \ > -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -s 172.24.50.3/32 \ > -j LOG --log-prefix "FORWARD dropped packet from 172.24.50.3: " Why this rule??: by default all is denied if it is not exists an established and related connection. > -A FORWARD -s 172.24.50.3/32 -j DROP > -A FORWARD -d 172.24.50.3/32 \ > -j LOG --log-prefix "FORWARD dropped packet to 172.24.50.3: " > -A FORWARD -d 172.24.50.3/32 -j DROP Why this rule??: > -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > I only want to allow related and established connections ... not new if it is not explicit allowed. > Rule order is important. Thus, > 1. Packets from the host to that LAN that are for (1) a new or a > new/related conn, and (2) all packets for established conns, > are allowed. > 2. Packets to the host from that LAN for (1) a new/related conn > or (2) for established conns are allowed. > 3. All other packets forwarded to or from that host are dropped. > 4. All other forwarded packets are allowed. > 5. The FORWARD chain's DROP policy is never executed. See #5 (above). > 6. The host is still allowed to access all other hosts on its LAN; the > router has no control over that. > Since no protocols are specified, ICMP will also be allowed. > > Remember that: > - Without ICMP, your internetwork will not function. Sorry?? Why?? I administer a lot of chkps and bds fws and ALL had icmp denied by default (with some exceptions), and it works ok ... > - A 'conn' is a relation between two socket endpoints, be it TCP, UDP > or another protocol. > - NEW refers to the *first* packet of a new conn. > - RELATED refers to the *first* packet of a new, related conn. > - ESTABLISHED refers to all other packets of established conns, > whether they started as NEW or as RELATED. > - the RELATED state is set by a conntrack helper (FTP, etc.) that > snoops and detects when one end of an established conn is attempting > to open a new conn (such as FTP's data channel). > - You may want to allow DNS (UDP port 53) to pass (if needed), depending > on where your DNS server or 'proxy' is. > - You may want to add rules to INPUT and OUTPUT to prevent that host > from accessing the router itself, if desired. But according to my default policy, all that it is not allowed is denied ... Your answers are redundant with my default policy ... -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
