iptables newbie question

hi

two questions about iptables:

1/

i read the packet-filtering howto (http://netfilter.org/documentation/H...ing-HOWTO.html)
the first example uses the ip_conntrack module, which allows the state match rule, as in the following rules :

iptables -A block -m state --state NEW -j REJECT

on the other hand, my red hat 9 was automatically configured by lokkit with something that looks similar but without using ip_conntrack:

iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT

what are the exact differences between these two ways of doing the same thing ?

2/

about fragments (see http://netfilter.org/documentation/H...g-HOWTO-7.html)

in the paragraph "specifying fragments", it says:
"If you are doing connection tracking or NAT, then all fragments will get merged back together before they reach the packet filtering code, so you need never worry about fragments."

but 5 lines below, it also says that we can only filter the first fragment, because further fragments don't have their tcp header.

so, are fragments merged or not ?

thanks in advance

matthieu imbert <nospam@nospam.com> said:
>i read the packet-filtering howto
>(http://netfilter.org/documentation/H...ing-HOWTO.html)
>the first example uses the ip_conntrack module, which allows the state
>match rule, as in the following rules :
>
>iptables -A block -m state --state NEW -j REJECT
>
>on the other hand, my red hat 9 was automatically configured by lokkit
>with something that looks similar but without using ip_conntrack:
>
>iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
>
>what are the exact differences between these two ways of doing the same
>thing ?

The RedHat lokkit way is archaic; it dates back to "ipchains", which was
a stateless filter -- you only could filter by the packet contents.

The stateful filtering allows for more fine-grained filtering. Consider,
for example, that you wish to allow outbound HTTP sessions. Without
connection tracking, you need to allow all incoming packets from port 80.
Also, you would need to rather indiscriminately allow incoming ICMP
traffic. With connection tracking, you state that you wish to allow
outbound connection requests to port 80, and inbound packets that are
related to or belong to established connections.

The difference is even greater with UDP protocol, which, being a stateless
protocol, doesn't contain session state in the packet header.

>about fragments (see
>http://netfilter.org/documentation/H...g-HOWTO-7.html)
>
>in the paragraph "specifying fragments", it says:
>"If you are doing connection tracking or NAT, then all fragments will
>get merged back together before they reach the packet filtering code, so
>you need never worry about fragments."
>
>but 5 lines below, it also says that we can only filter the first
>fragment, because further fragments don't have their tcp header.
>
>so, are fragments merged or not ?

In the first paragraph, note the words "If you are doing connection
tracking or NAT". So, for firewall set-ups where you don't have either
of these two features in use (like RH lokkit), the fragments are not
merged. Or at least this is how I read that documentation.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)