iptable rules for two networks connected with two firewalls - Networking

This is a discussion on iptable rules for two networks connected with two firewalls - Networking ; Hello, i'm looking for iptable rules to solve a problem with asymmetric routing. I have two networks (NET-A, NET-B). The networks are connected with two parallel firewalls. Lets say, NET-A is connected to eth0 on each firewall, NET-B is connected ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: iptable rules for two networks connected with two firewalls

  1. iptable rules for two networks connected with two firewalls

    Hello,
    i'm looking for iptable rules to solve a problem with asymmetric
    routing.

    I have two networks (NET-A, NET-B). The networks are connected with
    two parallel firewalls. Lets say, NET-A is connected to eth0 on each
    firewall, NET-B is connected to eth1.

    A B
    | |
    |---FW1--|
    | |
    |---FW2--|
    | |


    Clients on NET-B are not allowed to initiate connections to NET-A.
    CLients on NET-A are allewed to connect to hosts on NET-B.

    Normally i would do this that way (Default is DROP):

    iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT
    iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT -m state --state
    ESTABLISHED

    This works as long as the packtes coming back from NET-B to NET-A go
    throuh the same firewall. But if the routing is asymmetric the packets
    will be NEW and not ESTABLISHED for the second firewall.

    Is there a posibility to solve my problem for tcp (maybe with syn-
    flag?)?
    or for tcp and udp?

    Thanks Andreas


  2. Re: iptable rules for two networks connected with two firewalls

    Hi,

    On Sun, 10 Jun 2007 15:11:44 -0700, andreas.sachs wrote:

    [...]

    > A B
    > | |
    > |---FW1--|
    > | |
    > |---FW2--|
    > | |
    >
    >
    > Clients on NET-B are not allowed to initiate connections to NET-A.
    > CLients on NET-A are allewed to connect to hosts on NET-B.
    >
    > Normally i would do this that way (Default is DROP):
    >
    > iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT
    > iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT -m state --state
    > ESTABLISHED
    >
    > This works as long as the packtes coming back from NET-B to NET-A go
    > throuh the same firewall. But if the routing is asymmetric the packets
    > will be NEW and not ESTABLISHED for the second firewall.
    >
    > Is there a posibility to solve my problem for tcp (maybe with syn-
    > flag?)?
    > or for tcp and udp?


    yes, you can check for syn-flag. it is similar like to check for
    state-new. and !syn-flag is similar to state-established. but you will not
    get complex protocols like ftp. it will not be a real stateful firewall,
    but possible. for udp you have to check all packets, go and goback, there
    is no syn-flag...

    olli

+ Reply to Thread