 |
| Register | FAQ | Members List | Calendar | Links | Search | Today's Posts | Mark Forums Read |
|
||||||||
|
|
|||||||
 |
|
|
Thread Tools | Display Modes |
|
#1
06-10-2007, 11:11 PM
|
iptable rules for two networks connected with two firewalls
Hello,
i'm looking for iptable rules to solve a problem with asymmetric routing. I have two networks (NET-A, NET-B). The networks are connected with two parallel firewalls. Lets say, NET-A is connected to eth0 on each firewall, NET-B is connected to eth1. A B | | |---FW1--| | | |---FW2--| | | Clients on NET-B are not allowed to initiate connections to NET-A. CLients on NET-A are allewed to connect to hosts on NET-B. Normally i would do this that way (Default is DROP): iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT -m state --state ESTABLISHED This works as long as the packtes coming back from NET-B to NET-A go throuh the same firewall. But if the routing is asymmetric the packets will be NEW and not ESTABLISHED for the second firewall. Is there a posibility to solve my problem for tcp (maybe with syn- flag?)? or for tcp and udp? Thanks Andreas andreas.sachs@gmail.com 
|
|
#2
06-11-2007, 08:14 AM
|
|||
|
|||
|
Re: iptable rules for two networks connected with two firewalls
Hi,
On Sun, 10 Jun 2007 15:11:44 -0700, andreas.sachs wrote: [...] > A B > | | > |---FW1--| > | | > |---FW2--| > | | > > > Clients on NET-B are not allowed to initiate connections to NET-A. > CLients on NET-A are allewed to connect to hosts on NET-B. > > Normally i would do this that way (Default is DROP): > > iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT > iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT -m state --state > ESTABLISHED > > This works as long as the packtes coming back from NET-B to NET-A go > throuh the same firewall. But if the routing is asymmetric the packets > will be NEW and not ESTABLISHED for the second firewall. > > Is there a posibility to solve my problem for tcp (maybe with syn- > flag?)? > or for tcp and udp? yes, you can check for syn-flag. it is similar like to check for state-new. and !syn-flag is similar to state-established. but you will not get complex protocols like ftp. it will not be a real stateful firewall, but possible. for udp you have to check all packets, go and goback, there is no syn-flag... olli
|
|
| Tags |
| connected, firewalls, iptable, networks, rules |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
