nat and dns

Aleksandar Milivojevic amilivojevic at pbl.ca
Fri Sep 24 03:56:17 CEST 2004


Quoting Dimitar Katerinski <train at bofh.bg>
Date: Fri, 24 Sep 2004 01:02:11

> Sorry, a little bit off topic, but I allways go red about such kind of crappy
> rules:
> 
> > Use DNAT target.  In short what you need to do is:
> > 
> >    iptables -A FORWARD -m state --state NEW -j ACCEPT
> 
> Do you know what you just did? You've just allowed any kind of
> connections, protocols to any port and from/to any destionation. Cute,
> isn't it?

The above was an obvious typo that I made.  It should have read ESTABLISHED, not
NEW, of course.  It kinda suprised me that it took so long before anybody noticed.

As for using only --state NEW in my other rules vs specifying tcp flags, there
were some discussions before on the list about it.  For most part it will just
prevent nmap and similar programs to do some types of tests used to remotely
determine OS type.  Personally, I do use tcp-flags option in combination with
--state NEW.  And what I sometimes type when giving examples (mostly not, becase
of pure laziness on my part) is that they are examples and that reader should
add additional flags to make it more tight.

> P.S. Why I go red? Because there're thousands of people who use it, and
> they learned it from someone like you.

Maybe yes, maybe no.  The bottom line is that probability of somebody getting
burned by not using tcp-flags (or simply syn) option is quite low.  But if
that's going to make you so much happier person, I can start typing mile long
examples instead of giving hints.  I could bet that out of those thousands,
there will be at least 99% that will fail to realize that 2.6 series of kernels
is extremely trigger happy to load ipv6 module (which will automatically assign
link local IPv6 addresses to all Ethernet interfaces), and that is much more
serious problem than omiting --syn or whatever...

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7





More information about the netfilter mailing list