EasyManuals Logo

Tiesse Imola LX 5200 User Manual

Default Icon
376 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #182 background imageLoading...
Page #182 background image
Firewall functions: IPTABLES
USER GUIDE
182
RELATED For packets relating to existing connections but which are not part of an
existing one (e.g. an ICMP error packet or a FTP-data connection [port 20]
related to a FTP connection)
INVALID For packets which for some reason cannot be classified in any other way.
Example:
iptables A FORWARD d 192.168.1.0/24 m state --state ESTABLISHED,RELATED j ACCEPT
allows traffic of packets towards network 192.168.1.0/24. These packets are part of established
connections or connections related to other active connections.
iptables A FORWARD d 192.168.1.0/24 m state -state INVALID j DROP
It is possible to analyze entries in the conntrack database by using the command
12
:
show conntrack all
An example of output is the following:
tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 dport=22
[UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 dport=32775 [ASSURED]
use=2
which shows:
Protocol
Protocol expressed as a numeric value
Time-to-live of the entry. This value is reduced until no more traffic about this connection
appears. When the entry changes status, it is set to the default value.
Current status of the entry. The internal status are slightly different from those used
externally by iptables.SYN_SENT indicates a connection on which SYN has travelled only in
one direction.
Source IP address
Destination IP address
Source port
Destination port
Keyword (UNREPLIED) which indicates that no return traffic has passed on this connection
Return packet expected
When a connection has traffic in both directions, the UNREPLIED flag is removed and the entry is
replaced by a new one having the ASSURED flag, which indicates that the entry will not be removed
when the maximum number of traced connections is reached. The maximum size of the cache
depends on the available memory. On Imola the default value is 4096.
The power of this system is that it is not necessary to open all the ports above 1024 to let in the
incoming traffic, but you just have to open the firewall on the incoming traffic operating on the
connections status.
TCP connections
A TCP connection always starts with a 3-phase handshake:
12
-
In some versions you have to use the command
iptables-conntrack
instead of
show conntrack

Table of Contents

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Tiesse Imola LX 5200 and is the answer not in the manual?

Tiesse Imola LX 5200 Specifications

General IconGeneral
BrandTiesse
ModelImola LX 5200
CategoryNetwork Router
LanguageEnglish

Related product manuals