Whole document tree


www.fifi.org
    Documentation
        Manpages
        GNU Info
        Debian document tree
        Whole document tree
    Trigance web page
    Public services
    User info
    Mailing lists
    Secure server
    Multilingual usage
 

Copyright (C) 2000-2012
Philippe Troin
<webmaster@fifi.org>.

Validate HTML
Validate CSS

    

Whole document tree

Netfilter Extensions HOWTO: New connection tracking patches Next Previous Contents

5. New connection tracking patches

In this sections, we will show the available connection tracking/nat patches. To use them, simply load the corresponding modules (with options if needed) for them to be in effect.

5.1 eggdrop-conntrack patch

This patch by Magnus Sandin <magnus@sandin.cx> adds support for connection tracking for eggdrop bot networks.

5.2 ftp-fxp patch

This patch by Magnus Sandin <magnus@sandin.cx> adds FXP support to ftp connection tracking. FXP'ing to NAT'ed ftp daemons does not work yet. To enable FXP conntracking, do as follows :

# modprobe ip_conntrack_ftp.o fxp=1

The patch mention a security warning : WARNING, Applying this patch and enabling the feature WILL reduce security offered by FTP connection tracking significantly. Use with extreme care (and only if you know what you are doing).

5.3 irc-conntrack-nat patch

This patch by Harald Welte <laforge@gnumonks.org> allows DCC to work though NAT and connection tracking. By default, this module will track IRC connection on port 6667. But you can change this for another port with the `ports=xx' argument.

5.4 pptp patch

This patch allows netfilter to track pptp connection as well as to NAT them.

5.5 record-rpc patch

This patch by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> allows netfilter to track portmapper requests using UDP and TCP.

5.6 snmp-nat patch

This patch by James Morris <jmorris@intercode.com.au> allows netfilter to NAT basic SNMP This is the ``basic'' form of SNMP-ALG, as described in RFC 2962, it works by modifying IP addresses inside SNMP payloads to match IP-layer NAT mapping.

5.7 talk-conntrack-nat patch

This patch by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> allows netfilter to track talk connections, as well as to NAT them. By default both otalk (UDP port 517) and talk (UDP port 518) are supported. otalk/talk supports can selectively be enabled/disabled by the module parameters of the ip_conntrack_talk and ip_nat_talk modules. The options are :

  • otalk = 0 | 1
  • talk = 0 | 1

where `0' means `do not support' while `1' means `do support' the given protocol flavor.

5.8 tcp-window-tracking patch

This patch by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> allows netfilter do TCP connection tracking according to the article Real Stateful TCP Packet Filtering in IP Filter by Guido van Rooij. It supports window scaling, and can now handle already established connections.

This patch requires the ``ftp-fixes'' patch to be applied. It should be part of standard kernel these days...

5.9 tftp patch

This patch by Magnus Boden <mb@ozaba.mine.nu> allows netfilter to track tftp connections as well as to NAT them. By default, this module will track tftp connections on port 69. But you can change this for another port with the `ports=xx' argument.

Note from the author of the patch : The first packet back from the server will never reach the client but almost all clients do send another request and this time it will work as expected, this applies to both SNAT and DNAT.

Next Previous Contents