LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-18-2010, 12:55 PM   #1
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,033

Rep: Reputation: 69
A question about iptables and connection tracking...


On my CentOS 5.4 box I run dns, ssh, and smtp servers. This box also has to be able to resolve and browse websites.

So basically it needs iptable rules for

TCP 22 25 80 443
UDP 53

My question is, which of these services work nicely with connection tracking?

I'm a little confused about how connection tracking works.

For example say this iptables rule for smtp
Code:
iptables -A INPUT -s 0/0 --sport 513:65535 -d $myip --dport 25 -j ACCEPT
versus
Code:
iptables -A INPUT -s 0/0 --sport 513:65535 -d $myip --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
So with connection tracking what exactly does it do that my first iptables rule does not do?

Also for centos is that port range correct? 2.6 Linux kernel randomly chooses a port 513-65535 when it connects to an external smtp server or say browses a site.

Last edited by trist007; 12-19-2010 at 07:06 AM.
 
Old 12-19-2010, 07:17 AM   #2
teebones
Member
 
Registered: Aug 2005
Location: /home/teebones
Distribution: sometimes this, sometimes that..
Posts: 502

Rep: Reputation: 56
simply put, what connection tracking does (NEW, ESTABLISHED), is if the remote party requires an extra random incoming connection on your side to be allowed, iptables will open this extra connection for you on your side, between you and the remote service only. See it as a dynamic firewalling system, that detects requests done by applications, to openup additional ports for that program to function properly. (e.g. Passive FTP is a good example of this. When you successfuly connect/authenticate to a FTP server that is running in passive mode, that server requests a random data port to be used for transfers, between you and the server. Without tracking, you have to manually open up that port, for it to funtion. With connection tracking, it goes fully automatic. Also connection tracking helps with NAT setups.
 
Old 12-21-2010, 10:17 PM   #3
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,033

Original Poster
Rep: Reputation: 69
Nice that explains it perfectly, thank you.
 
Old 01-02-2011, 09:44 AM   #4
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,033

Original Poster
Rep: Reputation: 69
Could you give a few examples of this. Like which protocols will open a new connection under a different port?
 
Old 01-04-2011, 12:35 PM   #5
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,033

Original Poster
Rep: Reputation: 69
bump
 
Old 01-04-2011, 06:35 PM   #6
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,356

Rep: Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367
As teebones said, check out ftp http://slacksite.com/other/ftp.html
BTW, DNS will use TCP for certain queries, so you'll need to allow TCP 53 as well.
http://linux.die.net/man/1/dig
 
Old 01-05-2011, 02:12 PM   #7
lazydog
Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 922
Blog Entries: 1

Rep: Reputation: 151Reputation: 151
Here is more detail on the 5 Connection Types. There is a lot more information on that page about IPTABLES.

I for one would have my first rule being an ESTABLISHED,RELATED rule that way your rules don't have to be read for every packet that arrives.

Here is a simple rule set for your input;
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 442 -m state --state NEW -j ACCEPT
iptables -A INPUT -j DROP
Since you will be using both UDP and TCP for DNS (53) there is no reason to create 2 rules.
You should adjust these rule to work for your system.
 
Old 01-06-2011, 12:43 AM   #8
Andy Alt
Member
 
Registered: Jun 2004
Location: Minnesota, USA
Distribution: Slackware32-stable, Debian32 stable, LFS 7.1
Posts: 385

Rep: Reputation: 44
connection tracking modules

I seem to recall a few weeks a go when experimenting with an ftp server, my firewall was okay, but I had to
Code:
modprobe nf_conntrack_ftp
before I could receive an incoming connection. I imagine that module is built into kernels on some distributions, and wouldn't be necessary in every case.

Other connection tracking modules (in case the reference helps):

./kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko
./kernel/net/netfilter/nf_conntrack_proto_udplite.ko
./kernel/net/netfilter/nf_conntrack_netbios_ns.ko
./kernel/net/netfilter/nf_conntrack_ftp.ko
./kernel/net/netfilter/nf_conntrack_pptp.ko
./kernel/net/netfilter/nf_conntrack_amanda.ko
./kernel/net/netfilter/nf_conntrack_proto_gre.ko
./kernel/net/netfilter/nf_conntrack_irc.ko
./kernel/net/netfilter/nf_conntrack_h323.ko
./kernel/net/netfilter/nf_conntrack_proto_sctp.ko
./kernel/net/netfilter/nf_conntrack.ko
./kernel/net/netfilter/nf_conntrack_sane.ko
./kernel/net/netfilter/nf_conntrack_netlink.ko
./kernel/net/netfilter/nf_conntrack_proto_dccp.ko
./kernel/net/netfilter/nf_conntrack_tftp.ko
./kernel/net/netfilter/xt_conntrack.ko
./kernel/net/netfilter/nf_conntrack_sip.ko
./kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko
 
Old 01-20-2011, 11:33 AM   #9
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,033

Original Poster
Rep: Reputation: 69
Good stuff. I wanted to ask for any recommendations on my iptables INPUT rules. I have a feeling my current setup makes my server more prone to DOS attacks simply because of all the connection tracking going on.

# INPUT
$IP -A INPUT -i lo -p all -j ACCEPT
$IP -A INPUT -p icmp -j ACCEPT
$IP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IP -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 123 -m state --state NEW -j ACCEPT // network time protocol daemon
$IP -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
$IP -A INPUT -j DROP

Which of these ports absolutely require connection tracking?
 
Old 01-20-2011, 08:03 PM   #10
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,356

Rep: Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367
If you read my link above to the FTP explanation, you'll come across this
Quote:
FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.
See also post #2 by teebones.

Incidentally, I'd recommend using a default policy rather than a rule to drop unwanted cxns; see post #1 http://www.linuxquestions.org/questi...policy-179408/
 
Old 01-25-2011, 07:56 PM   #11
lazydog
Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 922
Blog Entries: 1

Rep: Reputation: 151Reputation: 151
Quote:
Originally Posted by trist007 View Post
Good stuff. I wanted to ask for any recommendations on my iptables INPUT rules. I have a feeling my current setup makes my server more prone to DOS attacks simply because of all the connection tracking going on.

# INPUT
$IP -A INPUT -i lo -p all -j ACCEPT
$IP -A INPUT -p icmp -j ACCEPT
$IP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IP -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 123 -m state --state NEW -j ACCEPT // network time protocol daemon
$IP -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
$IP -A INPUT -j DROP

Which of these ports absolutely require connection tracking?
They all do. You should not mix Stateful and Non-Stateful firewall rules.

I would also not just except ICMP packets blindly as you do above.
Have a look at This Site to help decide which messages from ICMP you need to allow.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables Connection Tracking karimasif Linux - Networking 1 09-05-2007 12:50 PM
how does IPTABLES -A FORWARD two way traffic without using connection tracking? farhan Linux - Security 4 09-05-2007 12:31 PM
Problem with connection tracking in IPtables!! vishamr2000 Linux - Security 2 05-09-2007 01:50 PM
iptables tracking machine eranb2 Linux - Security 4 01-07-2005 11:12 AM
Tracking internet usage with iptables mdkelly069 Linux - Networking 7 09-13-2004 11:13 AM


All times are GMT -5. The time now is 11:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration