On Sun, Apr 14, 2002 at 03:35:05PM +0100, Antony Stone wrote:
> Hi.
>
> I have what I think is a fairly typical client-only firewall setup - my
> netfilter box allows all protocols out from the internal network,
> masquerading the address on the way, and blocks all packets coming back from
> the Internet except those matching state ESTABLISHED,RELATED.
>
> It works fine and does what I want.
>
> However, quite a number of servers (mail, ftp for example) send an IDENT
> request back when I contact them, which the firewall simply drops, because
Don't drop the IDENT requests, just reject them. But this is not what you're
asking, right?
> it's addressed to the external IP of the firewall (because that was the
> source address on the masqueraded outgoing request).
>
> Is there any way to allow such IDENT packets, which arrive immediately after
> an outgoing connection, to be classified as RELATED, and to be NATed on to
> the internal client (as, for example, some ICMP packets do, I believe) ?
ICMP works because it carries enough information to relate them with
certain conn's. However, IDENT does also carry that kind of information
so theoritically it should be possible but there is a major difference.
ICMP dialogue is an integral part of the IP communication but IDENT is not.
>
> I guess the more general question is: can I control what sort of packets get
> classified as RELATED ?
The general answer to this seems to be a simple 'no', as long as iptables
does not provide a scripting interface with internal variables and more
complicated constructs for the flow of the rules. Something like this:
$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE -a DO {
$IPT -t nat -A PREROUTING -i $EXTIF -p udp -s %orig_dst -d %nat_src \
--dport 123 -j DNAT --to %orig_src
$IPT -A FORWARD -i $EXTIF -p udp -s %orig_dst -d %orig_src \
--dport 123 -j ACCEPT
}
With:
%orig_src, %orig_sport,
%orig_dst, %orig_dport,
%nat_src, %nat_sport,
%nat_dst, %nat_dport
internal variables (place holders) related to the original rule (like perl's
internal variables). I can think of a dozen other internal variables which
can be very handy.
Ramin
> Antony.
