John Von Neumann asked:
I’m currently working through the Linux Firewalls book and
have a set of rules setup which dictate rules to follow around every
STATE except for
NEW and I prefer being explicit when I’m writing code/config/whatever.
The rules in question:
26 $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options 27 $IPTABLES -A INPUT -m state --state INVALID -j DROP 28 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Now I’d like to just specify the
NEW state rules as well, to be clean.
In particular I’d like to just
NEW connections, at this stage I get why we’d
RELATED connections. But I’m unsure if I’m causing a headache by doing a
NEW. My thought process is that I won’t have an issue, because I don’t want random stuff trying to start connections with me, and I would imagine that because I have an intro rule of:
$IPTABLES -A INPUT DROP
That I’m already doing the
Can someone confirm if my thought process is correct here?
I haven’t read the book you linked, so I’m just going to go on about what you seem to be asking:
We call connections “incoming” and “outgoing” for our own convenience in understanding them, and this refers to which side initiated the connection. But the protocols don’t really see it that way. Before the connection is established, there is the state NEW for a new connection being set up. But once a connection is established there is only the local and remote host, and of course traffic flows both ways. Which host initiated the connection isn’t relevant or even tracked after the connection is established.
So, iptables firewalls are set up this way for efficiency. The rule numbered 28 above, however, should be much closer to the beginning of the firewall, so that most traffic doesn’t traverse a bunch of irrelevant rules. It allows already established (and related, which is protocol-dependent) traffic to flow inbound. This is nearly every packet, so such a rule should be very early in the tables.
Allowing an incoming new connection is at your discretion. If you run a web server, you might allow incoming new traffic on ports 443 and 80, for instance. Only the TCP SYN packet will match such rules. The rest of the inbound traffic is matched by the ESTABLISHED,RELATED rule. But if that SYN packet is not allowed, the connection can never become established.
(None of this discusses outgoing traffic, which is half the conversation. Most host firewalls don’t bother with this, but simply allow all outgoing traffic. If outgoing traffic is to be default-deny, then it too needs an ESTABLISHED,RELATED rule.)
Here is an example iptables firewall with each rule explained.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.