A question about iptables and connection tracking...

trist007 · 12-18-2010, 12:55 PM

On my CentOS 5.4 box I run dns, ssh, and smtp servers. This box also has to be able to resolve and browse websites.

So basically it needs iptable rules for

TCP 22 25 80 443
UDP 53

My question is, which of these services work nicely with connection tracking?

I'm a little confused about how connection tracking works.

For example say this iptables rule for smtp

Code:

iptables -A INPUT -s 0/0 --sport 513:65535 -d $myip --dport 25 -j ACCEPT

versus

Code:

iptables -A INPUT -s 0/0 --sport 513:65535 -d $myip --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

So with connection tracking what exactly does it do that my first iptables rule does not do?

Also for centos is that port range correct? 2.6 Linux kernel randomly chooses a port 513-65535 when it connects to an external smtp server or say browses a site.

teebones · 12-19-2010, 07:17 AM

simply put, what connection tracking does (NEW, ESTABLISHED), is if the remote party requires an extra random incoming connection on your side to be allowed, iptables will open this extra connection for you on your side, between you and the remote service only. See it as a dynamic firewalling system, that detects requests done by applications, to openup additional ports for that program to function properly. (e.g. Passive FTP is a good example of this. When you successfuly connect/authenticate to a FTP server that is running in passive mode, that server requests a random data port to be used for transfers, between you and the server. Without tracking, you have to manually open up that port, for it to funtion. With connection tracking, it goes fully automatic. Also connection tracking helps with NAT setups.

trist007 · 12-21-2010, 10:17 PM

Nice that explains it perfectly, thank you.

trist007 · 01-02-2011, 09:44 AM

Could you give a few examples of this. Like which protocols will open a new connection under a different port?

trist007 · 01-04-2011, 12:35 PM

chrism01 · 01-04-2011, 06:35 PM

As teebones said, check out ftp http://slacksite.com/other/ftp.html
BTW, DNS will use TCP for certain queries, so you'll need to allow TCP 53 as well.
http://linux.die.net/man/1/dig

lazydog · 01-05-2011, 02:12 PM

Here is more detail on the 5 Connection Types. There is a lot more information on that page about IPTABLES.

I for one would have my first rule being an ESTABLISHED,RELATED rule that way your rules don't have to be read for every packet that arrives.

Here is a simple rule set for your input;

Code:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 442 -m state --state NEW -j ACCEPT
iptables -A INPUT -j DROP

Since you will be using both UDP and TCP for DNS (53) there is no reason to create 2 rules.
You should adjust these rule to work for your system.

Andy Alt · 01-06-2011, 12:43 AM

I seem to recall a few weeks a go when experimenting with an ftp server, my firewall was okay, but I had to

Code:

modprobe nf_conntrack_ftp

before I could receive an incoming connection. I imagine that module is built into kernels on some distributions, and wouldn't be necessary in every case.

Other connection tracking modules (in case the reference helps):

./kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko
./kernel/net/netfilter/nf_conntrack_proto_udplite.ko
./kernel/net/netfilter/nf_conntrack_netbios_ns.ko
./kernel/net/netfilter/nf_conntrack_ftp.ko
./kernel/net/netfilter/nf_conntrack_pptp.ko
./kernel/net/netfilter/nf_conntrack_amanda.ko
./kernel/net/netfilter/nf_conntrack_proto_gre.ko
./kernel/net/netfilter/nf_conntrack_irc.ko
./kernel/net/netfilter/nf_conntrack_h323.ko
./kernel/net/netfilter/nf_conntrack_proto_sctp.ko
./kernel/net/netfilter/nf_conntrack.ko
./kernel/net/netfilter/nf_conntrack_sane.ko
./kernel/net/netfilter/nf_conntrack_netlink.ko
./kernel/net/netfilter/nf_conntrack_proto_dccp.ko
./kernel/net/netfilter/nf_conntrack_tftp.ko
./kernel/net/netfilter/xt_conntrack.ko
./kernel/net/netfilter/nf_conntrack_sip.ko
./kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko

trist007 · 01-20-2011, 11:33 AM

Good stuff. I wanted to ask for any recommendations on my iptables INPUT rules. I have a feeling my current setup makes my server more prone to DOS attacks simply because of all the connection tracking going on.

# INPUT
$IP -A INPUT -i lo -p all -j ACCEPT
$IP -A INPUT -p icmp -j ACCEPT
$IP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IP -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 123 -m state --state NEW -j ACCEPT // network time protocol daemon
$IP -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
$IP -A INPUT -j DROP

Which of these ports absolutely require connection tracking?

chrism01 · 01-20-2011, 08:03 PM

If you read my link above to the FTP explanation, you'll come across this

Quote:

FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.

See also post #2 by teebones.

Incidentally, I'd recommend using a default policy rather than a rule to drop unwanted cxns; see post #1 http://www.linuxquestions.org/questi...policy-179408/

lazydog · 01-25-2011, 07:56 PM

Quote:

Originally Posted by trist007

Good stuff. I wanted to ask for any recommendations on my iptables INPUT rules. I have a feeling my current setup makes my server more prone to DOS attacks simply because of all the connection tracking going on.

# INPUT
$IP -A INPUT -i lo -p all -j ACCEPT
$IP -A INPUT -p icmp -j ACCEPT
$IP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IP -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 123 -m state --state NEW -j ACCEPT // network time protocol daemon
$IP -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
$IP -A INPUT -j DROP

Which of these ports absolutely require connection tracking?

They all do. You should not mix Stateful and Non-Stateful firewall rules.

I would also not just except ICMP packets blindly as you do above.
Have a look at This Site to help decide which messages from ICMP you need to allow.