iptable rules for two networks connected with two firewalls

Hello,
i'm looking for iptable rules to solve a problem with asymmetric
routing.

I have two networks (NET-A, NET-B). The networks are connected with
two parallel firewalls. Lets say, NET-A is connected to eth0 on each
firewall, NET-B is connected to eth1.

A B
| |
|---FW1--|
| |
|---FW2--|
| |


Clients on NET-B are not allowed to initiate connections to NET-A.
CLients on NET-A are allewed to connect to hosts on NET-B.

Normally i would do this that way (Default is DROP):

iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT -m state --state
ESTABLISHED

This works as long as the packtes coming back from NET-B to NET-A go
throuh the same firewall. But if the routing is asymmetric the packets
will be NEW and not ESTABLISHED for the second firewall.

Is there a posibility to solve my problem for tcp (maybe with syn-
flag?)?
or for tcp and udp?

Thanks Andreas

Hi,

On Sun, 10 Jun 2007 15:11:44 -0700, andreas.sachs wrote:

[...]

> A B
> | |
> |---FW1--|
> | |
> |---FW2--|
> | |
>
>
> Clients on NET-B are not allowed to initiate connections to NET-A.
> CLients on NET-A are allewed to connect to hosts on NET-B.
>
> Normally i would do this that way (Default is DROP):
>
> iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT
> iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT -m state --state
> ESTABLISHED
>
> This works as long as the packtes coming back from NET-B to NET-A go
> throuh the same firewall. But if the routing is asymmetric the packets
> will be NEW and not ESTABLISHED for the second firewall.
>
> Is there a posibility to solve my problem for tcp (maybe with syn-
> flag?)?
> or for tcp and udp?

yes, you can check for syn-flag. it is similar like to check for
state-new. and !syn-flag is similar to state-established. but you will not
get complex protocols like ftp. it will not be a real stateful firewall,
but possible. for udp you have to check all packets, go and goback, there
is no syn-flag...

olli