From: Jan Humme <jan.humme@xs4all.nl>
To: thingstocome@gmx.net, netfilter@lists.samba.org
Subject: Re: unexpected problem with DNAT
Date: Wed, 10 Jul 2002 14:50:55 +0200 [thread overview]
Message-ID: <02071014505504.04513@Lms> (raw)
In-Reply-To: <2881.1026303535@www8.gmx.net>
On Wednesday 10 July 2002 14:18, thingstocome@gmx.net wrote:
> hello,
> i'm currently configuring a linux box to function as a router/gateway
> between two different LAN networks.
>
> default config:
> Hosts from LAN_1 shall be able to connect to LAN_2 via masquerading (SNAT)
> which works fine, and hosts from LAN_2 shall only be able to connect to the
> gateway,
> not to any host in LAN_2.
>
> However sometimes it is necessery that a host of LAN_2 initiates a
> connection to a
> certain computer in LAN_1.
>
> I do this by adding following rule to the gateways' iptables, which also
> works fine:
>
> iptables -t nat -A PREROUTING -j DNAT -i eth1 -d <GATEWAY_ADDR1> --to
> <LAN_1_ADDR>
>
> note: GATEWAY_ADDR1 ... is one of several ip addresses that belong to the
> gateway,
> LAN_1_ADDR ... is the address of host that shall be reached
> from LAN_2.
>
> ok now here's my problem:
>
> i thought that i can deny access to LAN_1_ADDR again as soon as the
> connection isnt needed anymore, by simply removing the rule.
>
> this worked if there were no open connections between the hosts, but not if
> the host in LAN_2 already had established one.
>
> here an example:
>
> I logon from LAN_2 to a ftp server in LAN_1 through the gateway via DNAT .
> no problem.
> Now i flush the prerouting chain, remove the rule, whatever.
> DNAT should not be allowed now anymore.
> But the host in LAN_2 still has an open ftp connection and has access to
> the host in LAN_1 until the ftp session is over.
>
> But this must not be possible, i want to avoid it .
>
> I think the host can still be accessed because the connection tracking
> module
> still has the entries of the session stored.
> I tried to "restart" the firewall ( -> flushed _all_ chains, & reset _all_
> rules without dnat the rule) but the connection was still alive.
Only the first packet in a stream will hit the nat-table, so if you remove
the PREROUTING chain after the connection has already been setup, the
connection will persist.
> ( if it interests you , new connections to LAN_1_ADDR couldnt be started of
> course ).
>
> Does anyone know how to solve this problem ?
I believe it can only be fixed in the filter module somehow, as all packets
travel through the filter module. You may insert a rule to the FORWARD chain,
to block the FTP-traffic from this IP-address; this should take immediate
effect.
Jan Humme.
next prev parent reply other threads:[~2002-07-10 12:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-07-10 12:18 unexpected problem with DNAT thingstocome
2002-07-10 12:50 ` Jan Humme [this message]
2002-07-10 14:03 ` thingstocome
2002-07-10 14:26 ` Jan Humme
2002-07-10 14:43 ` Antony Stone
2002-07-10 15:49 ` Jan Humme
2002-07-10 15:55 ` Antony Stone
2002-07-10 16:53 ` Jan Humme
2002-07-10 17:42 ` Antony Stone
2002-07-10 18:15 ` Jan Humme
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=02071014505504.04513@Lms \
--to=jan.humme@xs4all.nl \
--cc=netfilter@lists.samba.org \
--cc=thingstocome@gmx.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.