LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Iptables Connection Tracking (http://www.linuxquestions.org/questions/linux-networking-3/iptables-connection-tracking-582292/)

karimasif 09-05-2007 01:34 AM

Iptables Connection Tracking
 
Hi
I am curious regarding the iptables action if following rules are in order for the port 80 for inbound connection w.r.t the firewall.

Is the follwing rules in order are correct i.e. web server will perform well if following rules have been placed.


iptables -A FORWARD -i eth0 -p tcp -tcp-flags SYN,ACK,FIN,RST ACK -s 0/0 -d 192.168.1.10 --dport 80 -m state --state NEW -j LOG
iptables -A FORWARD -i eth0 -p tcp -tcp-flags SYN,ACK,FIN,RST ACK -s 0/0 -d 192.168.1.10 --dport 80 -m state --state NEW -j DROP



iptables -A FORWARD -i eth0 -p tcp -tcp-flags SYN,ACK,FIN,RST SYN -s 0/0 --sport 1024:65535 -d 192.168.1.10 --dport 80 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i eth1 -p tcp -tcp-flags SYN,ACK,FIN,RST SYN,ACK -s 192.168.1.10 --sport 80 -d 0/0 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT


iptables -A FORWARD -i eth0 -p tcp -tcp-flags SYN,ACK,FIN,RST ACK -s 0/0 --sport 1024:65535 -d 192.168.1.10 --dport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT

win32sux 09-05-2007 12:50 PM

Are you unable to do preliminary testing yourself for some reason?

On a side note, I'm moving this to Linux - Networking, as asking whether or not your web server will perform well with a certain set of iptables rules isn't really a security question.


All times are GMT -5. The time now is 11:20 AM.