iptables generic INPUT rule
John Summerfield
debian at herakles.homelinux.org
Mon Nov 5 22:14:48 UTC 2007
Joe Tseng wrote:
> I recall seeing an example rule where the person allowed all established
> connections; it went something like this:
>
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> Is this a safe generic rule to have? Or is it better for me to state
> every case explicitly?
That allows traffic with any established connexion to pass. Any traffic
not associated with an existing traffic will not be permitted by that
rule, so it does not permit any new sessions to start.
For that to occur, you need rules to explicitly allow connexions to
specific services ahead of any rule (including policy) that denies them.
It clarify, here are some lines from my /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
The first allows existing sessions to continue.
Then I explicitly allow connexions to three services.
Finally, I deny all not explicitly allowed. On a firewall, I'd likely
DROP rather than REJECT as the former causes unwelcome visitors to wait
for a timeout.
--
Cheers
John
-- spambait
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
Please do not reply off-list
More information about the fedora-list
mailing list