set RELATED?

set RELATED?

[George]

[-- Attachment #1: Type: text/plain, Size: 555 bytes --]

Is there currently a way for iptables to force another packet stream conntrack entry to be RELATED without having to look inside of the packet data?

For example:  If a 10.0.0.2 client behind an iptables firewall were to send an IMCP echo to 10.20.30.1, could a rule be set up so that after the firewall see this packet, all udp packets sent to dport=45678 would be DNATed to 10.0.0.2?

The designated RELATED stream would in general then be just like any other conntrack entry.

My guess is that this would require a generic force-related module.

[-- Attachment #2: Type: text/html, Size: 1245 bytes --]

Re: set RELATED?

[Ramin Dousti]

On Fri, Jul 25, 2003 at 08:21:21PM -0600, George wrote:

> Is there currently a way for iptables to force another packet stream conntrack entry to be RELATED without having to look inside of the packet data?
> 
> For example:  If a 10.0.0.2 client behind an iptables firewall were to send an IMCP echo to 10.20.30.1, could a rule be set up so that after the firewall see this packet, all udp packets sent to dport=45678 would be DNATed to 10.0.0.2?
> 
> The designated RELATED stream would in general then be just like any other conntrack entry.
> 
> My guess is that this would require a generic force-related module.

Let me see if I understood you well. You want something like this:

if (the firewall sees this traffic) then
    apply that rule
fi

I don't think we have something like this but I think this is very
helpful. Specially if the IF-test could pass some parameters to the
THEN-body. You might want to take this to the devel mailing list.

Ramin

RE: set RELATED?

[Sebastian]

Hi there...

Just an idea, i didn't try it out jet.

I think u can use the -j POOL target to add the IP-Adresse to a pool
when u see the icmp packet. Then u can use -m pool to accept connections
based on wether the IP is in this pool or not.

Greets
Sebastian.


> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Ramin Dousti
> Sent: Tuesday, July 29, 2003 4:01 PM
> To: George
> Cc: netfilter@lists.netfilter.org
> Subject: Re: set RELATED?
> 
> 
> On Fri, Jul 25, 2003 at 08:21:21PM -0600, George wrote:
> 
> > Is there currently a way for iptables to force another 
> packet stream 
> > conntrack entry to be RELATED without having to look inside of the 
> > packet data?
> > 
> > For example:  If a 10.0.0.2 client behind an iptables 
> firewall were to 
> > send an IMCP echo to 10.20.30.1, could a rule be set up so 
> that after 
> > the firewall see this packet, all udp packets sent to dport=45678 
> > would be DNATed to 10.0.0.2?
> > 
> > The designated RELATED stream would in general then be just 
> like any 
> > other conntrack entry.
> > 
> > My guess is that this would require a generic force-related module.
> 
> Let me see if I understood you well. You want something like this:
> 
> if (the firewall sees this traffic) then
>     apply that rule
> fi
> 
> I don't think we have something like this but I think this is 
> very helpful. Specially if the IF-test could pass some 
> parameters to the THEN-body. You might want to take this to 
> the devel mailing list.
> 
> Ramin
> 
>