[geeks] News server access
Phil Brutsche
geeks at sunhelp.org
Mon Aug 13 19:37:10 CDT 2001
On 13 Aug 2001 19:18:00 -0400, joshua d boyd wrote:
> > My unit drops all connections that werent already established by
> > one of the machines on the inside - you cant even ping/traceroute/portscan
> > it. Any exploits would have to come from the "inside" LAN.
>
> Uhm, excuse me, but weren't you earlier saying that it did port
> forwarding? How does it do that if it drops all incoming connections?
Very easily, Joshua. You're being too literal :)
Consider the following netfilter (Linux kernel 2.4 packet filtering)
snippet:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p <ip protocol> --dport <portnum> -j ACCEPT
...
iptables -A INPUT -m state --state NEW,ESTABLISHED -j DROP
In other words, consider this "flowchart":
packet comes in on wan port
packet part of an internally-established connection?
if yes, check to see if the particular port for this particular IP
protcol should be redirected.
if yes, rewrite IP header appropriately and send it out to the lan.
if no to the first condition, drop the packet and forget anything
happened.
--
Phil
More information about the geeks
mailing list