[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: iptables generic INPUT rule



Joe Tseng wrote:
I recall seeing an example rule where the person allowed all established connections; it went something like this:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Is this a safe generic rule to have? Or is it better for me to state every case explicitly?

That allows traffic with any established connexion to pass. Any traffic not associated with an existing traffic will not be permitted by that rule, so it does not permit any new sessions to start.

For that to occur, you need rules to explicitly allow connexions to specific services ahead of any rule (including policy) that denies them.


It clarify, here are some lines from my /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

The first allows existing sessions to continue.
Then I explicitly allow connexions to three services.
Finally, I deny all not explicitly allowed. On a firewall, I'd likely DROP rather than REJECT as the former causes unwelcome visitors to wait for a timeout.





--

Cheers
John

-- spambait
1aaaaaaa coco merseine nu  Z1aaaaaaa coco merseine nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

Please do not reply off-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]