RE: Iptables Reject with TCP Reset

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The rule you made here makes little sense , It would be preferable to make a more simple rule at "the top" like this ...

iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
or
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This will allow "all" traffic for rules you have already allowed through other rules in the FW ( no matter the IP or interface ) .


Best regards
André Paulsberg-Csibi
Senior Network Engineer 
Fault Handling
IBM Services AS




-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Matt Killock
Sent: 9. januar 2017 11:46
To: Noel Kuntze <noel@xxxxxxxxxxxxxxxxx>; netfilter@xxxxxxxxxxxxxxx
Subject: RE: Iptables Reject with TCP Reset

Thanks for your response.

> Use iproute2. Don't use the net-tools. They're unmaintained, less powerful and lie.

I do use iproute2 - for our multi-homed edge router, where it's needed. In this case, I wanted a list of interfaces, and I can see that the output was not a 'lie', so as a tool for that job, it's fine.

>Your rule set is absolutely broken, because you don't permit ctstate RELATED and at the same time, it's unnecessarily convoluted unstructered.

I note you dislike our ruleset, and I have no intention of rewriting the whole thing, especially as the examples in links you provide allow all outbound traffic from internal hosts. We want to block all outbound traffic except on a very limited range of host / port combinations. I accept that we may not have gone about that in an entirely modern or simplest manner possible, but it is far from 'absolutely' broken.

However, you did manage to tell me what I need to know, which is that I needed a RELATED rule in there. After a bit of experimentation, I discovered that I need a rule like this:

iptables -A OUTPUT -o eth1 -p tcp -d 192.168.40.0/24 -m state --state RELATED -j ACCEPT

That fixes this problem, thank you.

Matt

________________________________

Plum Software is a fully owned subsidiary of Praemium Limited.

This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.

In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.

In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.

Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
��칻�&�~�&���+-��ݶ��w��˛���m�޵������^n�r���z���h����&���G���h�(�階�ݢj"���m�����z�ޖ���f���h���~�m�
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux