Use IP connection tracking only for input and output chains
joris.dobbelsteen at mail.com
Thu Aug 11 19:50:48 CEST 2005
>From: netfilter-bounces at lists.netfilter.org
>[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of /dev/rob0
>Sent: donderdag, 11 augustus 2005 19:05
>To: netfilter at lists.netfilter.org
>Subject: Re: Use IP connection tracking only for input and
>On Thursday 2005-August-11 06:45, Joris Dobbelsteen wrote:
>> I've a question whether it is a supported configuration where the
>> connection tracking module is solely used for traffic local to the
>I believe the "raw" table can be used to bypass connection
>tracking. I don't know whether or not that is available in OpenWRT.
Could you provide more specific information on how to archieve this? A
tutorial (or a discussion about this) would be very nice. If you have a
good clue where I can find them it would save me a
lot of time getting through a lot of information.
Did see something here:
looks like OpenWRT doesn't support that:
I'm not looking forward to recompiling OpenWRT to include this
- Joris Dobbelsteen
--- Offtopic -----------------------------------------------------
>Do you like OpenWRT? I have Sveasoft on mine but I am not
>comfortable with it because of the GPL violations and the
>comments I have seen about the Sveasoft maintainer. It's nice
>to have Linksys-style GUI control, but I am quite capable of
>CLI management too.
OpenWRT is perfectly capable to sqeeze every feature out of the box. I
modified it quit a lot form the original layout. I don't run a web
interface, I believe there are available though, administration uses
Rather the device acts as a router (not a masquarade/nat gateway). I'm
running dhcp-fwd and djbdns (caching dns server, dnsmasq didn't do
because it includes dhcp I don't want) on the box. It runs quagga with
OSPFv2 (faster reconfiguration than RIP). The internal switch can be
easily altered for a different network setup (vlans). It runs WPA/WPA2
with Radius server.
Just check out http://openwrt.org/, look for the documentation how to
Basically you get a plain Linux with some basic functionality for
wireless, network, adsl links, netfilter/iptables and dnsmasq. You can
latter add/remove packages as desired.
The box lacks (just like most of linux) any good mechanism to enforce a
network policy, globally. I implemented my own insecure method of doing
so (I know how to secure this, but it requires some work to be done).
Seems like I really like Microsoft ISA Server for this though...
More information about the netfilter