From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 8F86F1381F3 for ; Tue, 21 May 2013 16:25:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7FAB7E089D; Tue, 21 May 2013 16:25:06 +0000 (UTC) Received: from mail-wg0-f54.google.com (mail-wg0-f54.google.com [74.125.82.54]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1315BE0887 for ; Tue, 21 May 2013 16:25:04 +0000 (UTC) Received: by mail-wg0-f54.google.com with SMTP id x12so464849wgg.21 for ; Tue, 21 May 2013 09:25:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=MyDqV6yGAa7j1uWclRbGU3FS7QQwhFyOZM3Ecp3CZ+U=; b=fDdnRTGx7t1kme/WShQxH9EcJOGphju+1VU3M+1kqyoTgUs183dAzb2tHj7xnCt1EC ELvHBW/XgSA+3OmudCxKU3f81yuCafkhzj+nMalmSHOYpjx1lPM1S1wip2H5XKHjvdL8 8i3X4WpRKruJKWmg5tGApEDfOLR3lzJ+L27r73PArt/6MfD5J4mPfQ2NjfnDVimo+1oX VlLgUh9D7Dgi0fz3B2lKBzEmi/q3f/mgAfC0/hp9gk/smmk7NNi9yd/Kiw18791WCciY 8X3VXJH02Fd8JL7AQZJ/rFtX71/yu2Tubo0yLUl6y29iPorKjH0OgqmjHs2ksQTCpn/e QH7A== X-Received: by 10.180.78.10 with SMTP id x10mr22408412wiw.30.1369153503594; Tue, 21 May 2013 09:25:03 -0700 (PDT) Received: from [10.0.0.11] ([88.151.79.151]) by mx.google.com with ESMTPSA id q13sm4906998wie.8.2013.05.21.09.25.02 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 21 May 2013 09:25:02 -0700 (PDT) Message-ID: <519B9F70.5070007@gmail.com> Date: Tue, 21 May 2013 18:23:12 +0200 From: Jarry User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] IPTables - Going Stateless References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 17ea9381-09e1-4793-a588-0c19a78ab7a3 X-Archives-Hash: 98d8154eeed3d038360ed4d4ab4e400b On 21-May-13 17:07, Nick Khamis wrote: > We recently moved our stateful firewall inside, and would like to > strip down the firewall at our router connected to the outside world. > The problem I am experiencing is getting things to work properly > without connection tracking. I hope I am not in breach of mailing list > rules however, a stripped down configuration is as follows: > > > #echo -e " - Defined Chains" > $IPTABLES -N TCP > $IPTABLES -N UDP > > #echo -e " - Accepting SSH Traffic" > $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 > --dport 22 -j ACCEPT > $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP > > #echo -e " - Accepting input TCP and UDP traffic to open ports" > $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP > $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP > > #echo -e " - Accepting output TCP and UDP traffic to open ports" > $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP > $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP > > > Everything works fine with the REJECT rules commented out, but when > included SSH access is blocked out. Not sure why, isn't the sequence > correct (i.e., the ACCPET entries before the DROP and REJECT)? > > Also, any pointers or heads up when going stateless would be greatly > appreciated. I do not understand why you *want* to omit statefullness, but if you do, you have to take care of corresponding part of ip-traffic yourself. First, you'd better learn someting about "3-way handshaking". That's the way tcp/ip connection is opened. Shortly: 1. client sends to server tcp/ip packet with "syn" flag 2. server responds with "syn/ack" flags 3. client sends "ack" Now look at your rules: you covered only the first part with: $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP Where is OUTPUT rule for "syn/ack", and INPUT for "ack"? Nowhere, and because of that you can not open tcp-connection if drop/reject rules are in effect. But instead of playing with tcp-flags I strongly recommend to use statefull firewall, which takes care of this with one simple rule. Jarry -- _______________________________________________________________ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.