You are not logged in.
Pages: 1
I am working my way through the 'Simple stateful firewall' wiki. There is a pause when we reach the first version with all the basic rules implemented.
# Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Sun Mar 17 14:21:12 2013I am trying to figure out whether this, on its own, is a properly configured firewall. Most of it makes sense to me. We look at INPUT packets, see which rules they match and respond accodingly. But if the firewall is left in the above state, I am trying to understand the logic of what happens to a NEW incoming TCP or UDP packet.
Put another way, I don't understand this comment and would be grateful for an explanation:
Now we attach the TCP and UDP chains to the INPUT chain to handle all new incoming connections. Once a connection is accepted by either TCP or UDP chain, it is handled by the RELATED/ESTABLISHED traffic rule. The TCP and UDP chains will either accept new incoming connections, or politely reject them. New TCP connections must be started with SYN packets.
The following section show how to add lines which allow handle incoming connections for TCP and UDP. If I am not trying to set up a server of any sort, I presume those are not necessary. The sections after that also only seem relevant to a server (but I'd be happy to be corrected!).
Last edited by old_boots (2015-09-07 15:53:03)
Offline
Pages: 1