iptables INPUT DROP NEW what effect will this have?

John Von Neumann asked:

I’m currently working through the Linux Firewalls book and
have a set of rules setup which dictate rules to follow around every STATE except for NEW and I prefer being explicit when I’m writing code/config/whatever.

The rules in question:

 26 $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
 27 $IPTABLES -A INPUT -m state --state INVALID -j DROP               
 28 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

Now I’d like to just specify the NEW state rules as well, to be clean.

In particular I’d like to just DROP NEW connections, at this stage I get why we’d ACCEPT ESTABLISHED and RELATED connections. But I’m unsure if I’m causing a headache by doing a DROP or REJECT on NEW. My thought process is that I won’t have an issue, because I don’t want random stuff trying to start connections with me, and I would imagine that because I have an intro rule of:

$IPTABLES -A INPUT DROP 

That I’m already doing the DROP on NEW.

Can someone confirm if my thought process is correct here?

My answer:


I haven’t read the book you linked, so I’m just going to go on about what you seem to be asking:

We call connections “incoming” and “outgoing” for our own convenience in understanding them, and this refers to which side initiated the connection. But the protocols don’t really see it that way. Before the connection is established, there is the state NEW for a new connection being set up. But once a connection is established there is only the local and remote host, and of course traffic flows both ways. Which host initiated the connection isn’t relevant or even tracked after the connection is established.

So, iptables firewalls are set up this way for efficiency. The rule numbered 28 above, however, should be much closer to the beginning of the firewall, so that most traffic doesn’t traverse a bunch of irrelevant rules. It allows already established (and related, which is protocol-dependent) traffic to flow inbound. This is nearly every packet, so such a rule should be very early in the tables.

Allowing an incoming new connection is at your discretion. If you run a web server, you might allow incoming new traffic on ports 443 and 80, for instance. Only the TCP SYN packet will match such rules. The rest of the inbound traffic is matched by the ESTABLISHED,RELATED rule. But if that SYN packet is not allowed, the connection can never become established.

(None of this discusses outgoing traffic, which is half the conversation. Most host firewalls don’t bother with this, but simply allow all outgoing traffic. If outgoing traffic is to be default-deny, then it too needs an ESTABLISHED,RELATED rule.)

Here is an example iptables firewall with each rule explained.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.