Re: [Nufw-users] use NFQUEUE for connection tracking

[Eric Leblond]

Le jeudi 05 octobre 2006 à 16:22 +0000, address@hidden a écrit :
> Hello!
> 
> For a good connection tracking with QUEUE we have to write this rules:
> 
> iptables -A FORWARD -p tcp -m state --state ESTABLISHED --tcp-flags
> ACK,FIN NONE -j ACCEPT
> iptables -A FORWARD -d $DMZ -p tcp -m state --state ESTABLISHED
> --dport 80 --tcp-flags SYN,RST,ACK RST -j QUEUE
> iptables -A FORWARD -d $DMZ -p tcp -m state --state ESTABLISHED
> --dport 80 --tcp-flags FIN FIN -j QUEUE
> iptables -A FORWARD -s $DMZ -p tcp -m state --state ESTABLISHED
> --sport 80 --tcp-flags SYN,ACK SYN,ACK -j QUEUE
> iptables -A FORWARD -p tcp -m state --state ESTABLISHED -j ACCEPT
> iptables -A FORWARD -d $DMZ -p tcp --syn --dport 80 -m state --state
> NEW -j QUEUE
> 
> And for NFQUEUE, what are thebest rules? Same or other?

No, you don't need these option a single 
iptables -A FORWARD -d $DMZ -p tcp --syn --dport 80 -m state --state NEW
-j NFQUEUE
is enough.

But to do this you will need to have libnetfilter_conntrack to add
support for conntrack event in the nufw daemon.
After that simply run nufw with -C option...

nufw -C

> 1) I would like to keep the rule: ESTABLISHED -j ACCEPT for push the
> paquet to snort-inline ( NFQUEUE --queue-num 3 -> we can, I try and
> I'll do!! Ah ah )

Yes clearly possible.

> 2) I'm french -> an exemple is better than a great blabla (May be I
> will not understand all)

Cordialement ;p
-- 
Eric Leblond <address@hidden>