Re: Iptables Forwarded traffic
- From: Pascal Hambourg <boite-a-spam@xxxxxxxxxxxxxxx>
- Date: Wed, 17 Oct 2007 19:24:31 +0200
Hello,
test a écrit :
iptables -A FORWARD -t filter -p ALL -i eth0 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
eth0 is the interface connected to internet
Since all connections coming from the outside world can't contact the local network directly (i mean that one NATed computer has to ask for it), it seems impossible that a connection marked as new could try to reach another computer than my router ? Isn't this rule stupid (or paranoid) ?
Since I have found a lot of iptables script using it, could someone explain me in why I should not ACCEPT all incoming forwarded traffic ?
Sure. Here is where you're wrong :
all connections coming from the outside world can't contact the local network directly
They can. Or at least they could, and some can. All that is needed is that packets arrive at eth0 with the destination address of one of your private hosts, and your Linux-based router will happily route them to their destination.
Now you're gonna ask how the hell a packet with a private destination address could reach your router from the outside ? Well, this could be caused by a routing problem at your ISP, or you could be on a shared media (e.g. cable) with other subscribers which can directly send you packets with arbitrary destination address. This is as simple as adding a route on their box.
route add <your_private_subnet> gw <your_public_address>
Anyway, assuming this cannot happen is making your security depend on something you do not control.
.
- Follow-Ups:
- Re: Iptables Forwarded traffic
- From: fr
- Re: Iptables Forwarded traffic
- References:
- Iptables Forwarded traffic
- From: test
- Iptables Forwarded traffic
- Prev by Date: Re: Nagle's Algorithm disabling
- Next by Date: Re: Iptables Forwarded traffic
- Previous by thread: Iptables Forwarded traffic
- Next by thread: Re: Iptables Forwarded traffic
- Index(es):
Relevant Pages
|
