You are not logged in.
- Topics: Active | Unanswered
#1 2019-01-19 10:11:24
- chrisdb
- Member
- From: Belgium
- Registered: 2018-05-16
- Posts: 155
[SOLVED] Iptables simple statefull firewall
Hello,
I've been looking into iptables and I had some questions regarding the following:
https://wiki.archlinux.org/index.php/Si … rules_file
I was wondering why the following rules are necessary:
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCPDoesn't the first rule already allow this?
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTI Mean if I initiated a connection like f.e. with a web browser, there's already a connection created. So I would guess the first rule Will pass and there's no need for the ones I mentioned above.
Thanks for any clarifications :-)
Last edited by chrisdb (2019-01-21 11:49:26)
Failure is success in progress.
A.E.
Offline
#2 2019-01-19 11:14:14
- loqs
- Member
- Registered: 2014-03-06
- Posts: 17,372
Re: [SOLVED] Iptables simple statefull firewall
These match a new unrelated connection.
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCPThis covers connections already allowed or a new connection that is related to an existing one such as an ICMP error.
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTOffline
#3 2019-01-19 11:23:38
- chrisdb
- Member
- From: Belgium
- Registered: 2018-05-16
- Posts: 155
Re: [SOLVED] Iptables simple statefull firewall
These match a new unrelated connection.
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP # iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
So this would pass unrelated connections to the UDP or TCP chain? And what happens then? Are all rules re-evaluated then?
Failure is success in progress.
A.E.
Offline
#4 2019-01-19 11:25:35
- Piri
- Member
- Registered: 2018-06-02
- Posts: 70
Re: [SOLVED] Iptables simple statefull firewall
I Mean if I initiated a connection like f.e. with a web browser, there's already a connection created. So I would guess the first rule Will pass and there's no need for the ones I mentioned above.
The TCP/UDP chains are for incoming connections that are not initiated by yourself (e.g. someone SSHs to your machine)
See the "The TCP and UDP chains" section where they explicitly open up SSH,HTTP,HTTPS, etc.
So this would pass unrelated connections to the UDP or TCP chain? And what happens then? Are all rules re-evaluated then?
No this just attaches the TCP/UDP chains to NEW TCP/UDP connections.
Offline
#5 2019-01-19 11:29:54
- chrisdb
- Member
- From: Belgium
- Registered: 2018-05-16
- Posts: 155
Re: [SOLVED] Iptables simple statefull firewall
No this just attaches the TCP/UDP chains to NEW TCP/UDP connections.
Are they all allowed then? So every incoming unrelated connection is accepted?
Sorry I'm just trying to understand
Thx
Failure is success in progress.
A.E.
Offline
#6 2019-01-19 11:38:08
- loqs
- Member
- Registered: 2014-03-06
- Posts: 17,372
Re: [SOLVED] Iptables simple statefull firewall
Please reread Simple_stateful_firewall#The_INPUT_chain
Offline
#7 2019-01-19 12:14:17
- chrisdb
- Member
- From: Belgium
- Registered: 2018-05-16
- Posts: 155
Re: [SOLVED] Iptables simple statefull firewall
Ok, so if I understand correctly and following the example (Resulting iptables.rules file), nothing will happen because there are no specific TCP or UDP chain rules specified.
So basically the packet will be dropped?
Failure is success in progress.
A.E.
Offline
#8 2019-01-19 12:30:49
- loqs
- Member
- Registered: 2014-03-06
- Posts: 17,372
Re: [SOLVED] Iptables simple statefull firewall
Simple_stateful_firewall#The_INPUT_chain
Similar to the previous chains, we set the default policy for the INPUT chain to DROP in case something somehow slips by our rules. Dropping all traffic and specifying what is allowed is the best way to make a secure firewall.
Warning: If you are logged in via SSH, the following will immediately disconnect the SSH session. To avoid it: (1) add the first INPUT chain rule below (it will keep the session open), (2) add a regular rule to allow inbound SSH (to be able to reconnect in case of a connection drop) and (3) set the policy.
# iptables -P INPUT DROP
Offline
#9 2019-01-19 17:42:36
- Lone_Wolf
- Forum Moderator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 11,920
Re: [SOLVED] Iptables simple statefull firewall
If your internet connection support ipv4 and ipv6 , you'll have to create 2 sets of rules .
You might want to use nftables instead of iptables then.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
#10 2019-01-21 11:48:21
- chrisdb
- Member
- From: Belgium
- Registered: 2018-05-16
- Posts: 155
Re: [SOLVED] Iptables simple statefull firewall
Thx for the answers
I will also have a look at nftables :-)
Failure is success in progress.
A.E.
Offline