ESTABLISHED makes possible to connect to internal servers

To:	netfilter@lists.netfilter.org
Subject:	ESTABLISHED makes possible to connect to internal servers
From:	Anton Sidorov <asidorov@mfmdb.com>
Date:	Tue, 10 Apr 2007 18:39:10 +0100
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Sender:	netfilter-bounces@lists.netfilter.org
User-agent:	Thunderbird 1.5.0.10 (X11/20070306)

Hi,

I have a slight problem and can not find any answers myself or in the
Internet.

I run iptables on Debian based router/firewall.

I do not use nat and private IP addresses.
vlan2 and vlan3 are external connections to ISPs
vlan101 and vlan82 are internal interfaces.

The problem is that if I put
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
or just
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT

it is possible to access my internal web server (and not only web
server) from outside
despite I did not open port 80 in FORWARD chain and policy for FORWARD
is DROP.

As soon as I remove those lines I can not connect to the Internet from
behind the firewall.

I've been fighting with that problem for two weeks now.
I rewrite my script several times and brought it to bare basic but
nothing has fixed the problem.

kernel 2.6.18-4-686
iptables v1.3.6

Please any hints or tips would be really appreciated.

Best regards,

Anton.

<Prev in Thread]	Current Thread	[Next in Thread>
ESTABLISHED makes possible to connect to internal servers, Anton Sidorov <= Re: ESTABLISHED makes possible to connect to internal servers, Maximilian Wilhelm Re: ESTABLISHED makes possible to connect to internal servers, Anton Sidorov Re: ESTABLISHED makes possible to connect to internal servers, Arnd-Hendrik Mathias

Previous by Date:	Re: packets to local addresses, Jan Engelhardt
Next by Date:	Re: iptables-retore very slow, Pablo Neira Ayuso
Previous by Thread:	TCP dynamic redirection, switcher
Next by Thread:	Re: ESTABLISHED makes possible to connect to internal servers, Maximilian Wilhelm
Indexes:	[Date] [Thread] [Top] [All Lists]