LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-21-2015, 02:07 PM   #1
coca0001
LQ Newbie
 
Registered: May 2015
Posts: 3

Rep: Reputation: Disabled
IPTables config, what is the dirrence between these statments for port 80?


Hello! I hope this post get's in the right place, cause I'm a newbie @ Linux

I'm trying to set up a Webserver, apache. And I'm confused which chain to set in IPTables. I hope'd someone could answer me a little more in detail, I've tryed googeling, but the answers were quite confusing for me, anyway here are the statement;

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

and

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

A know that that -A INPUT is for incoming packaes, -p specifies protocol TCP. But I'm unsure what -m does? Cause in the first line it is just "-m tcp" and in the second it is "-m state --state". So if someone could explant the diffrence and which one to use, I would be grateful.

And another question while I'm at it; In the start of IPTables I have;
-A INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

What happens if I get a packet destined for some service, that isn't a chain in IPTables? Take port 80 for example, will IPTables accept the packet, but drop it at the end because there isn't any hit? If you understand what I mean. If -A INPUT would be DENY istead of ACCEPT, would the packet never ever get examined further then the first line?

Almost and the bottom of IPTables ther is a line;
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Is it the chain that will be matched if there is not hit prior to it? What would happen if this line wasn't there?

Thank you very much for your help, I'm just wanna be sure little how IPTables work.

Best Regards; Stefan
 
Old 05-21-2015, 03:54 PM   #2
michaelk
Moderator
 
Registered: Aug 2002
Posts: 14,929

Rep: Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520
Welcome to LinuxQuestions.

In a nutshell there are basically two ways to setup iptable rules. By using a default drop policy nothing gets in or out unless you add a rule. If you use a default accept policy everything gets in or out but you add specific rules to allow what you want and then the last rule rejects or drops everything that does not meet the critera above.

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

The above rule allows web traffic without restriction. -state can track four connections: NEW, ESTABLISHED, RELATED and INVALID. The new state means traffic originated from outside. ESTABLISHED, RELATED would means we are receiving a returned packet that we orignated.

Be sure to check your ISP agreement. Some do not allow a webserver to be run from home and may block port 80 traffic.


http://www.cyberciti.biz/tips/linux-...-examples.html
http://www.iptables.info/en/connection-state.html
 
Old 05-21-2015, 05:25 PM   #3
coca0001
LQ Newbie
 
Registered: May 2015
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thanks for the answer! Just to make things clear, I did read your links, good stuff! Stil quite unsure about; see the example below (some old test I found while googleing);


Below is an example output dump from the command 'iptables -S':
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A fail2ban-SSH -j RETURN

There seems to be two lines for the normal HTTP web server port which is
probably a configuration mistake. Explain the difference between the two
lines and what traffic they allow. (3p)

c) Based on the output dump above, explain what happens when an incoming
TCP packet arrives (for a new incoming connection) for destination port 20.
(2p)


This was actually a good example, so in this case, does the first line with; -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT , accept all packet destined for port 80 with no restrictions?
And the second line that is -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT allow also access to port 80, but is must be a request from the outside, that's the diffrence between the two?

If I had the rule -P INPUT DROP, it would still work? I'm having a hard time to make out the diffrence between ACCEPT and DROP, but can you in a easy way say that ACCEPT allows every packet in, but you have to have a rule what you want to to with the packets, and if nothing matches it droppes? And DROP drops it, hand-off, if you don't specify a rule?

Just for fun, the questions with the port 20 connection, what does actualy happen with that? Just get dropped? With rule in the IPtables does that fall under?

Thanks again for the great help!

Best Regards; Stefan

Last edited by coca0001; 05-21-2015 at 05:26 PM.
 
Old 05-21-2015, 06:18 PM   #4
michaelk
Moderator
 
Registered: Aug 2002
Posts: 14,929

Rep: Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520
Basically, an incoming packet will be compared with each input rule starting at the top. Since there isn't any rule for port 20 it gets rejected when it reaches the bottom i.e. "-A INPUT -j REJECT --reject-with icmp-host-prohibited"

FYI port 21 is used by telnet which should be disabled anyway. The rule can be deleted.

If the default policy is set to drop i.e. -p INPUT DROP then all incoming packets are dropped unless there is a rule to allow, -P INPUT ACCEPT will default to allow all traffic with out the last -A FORWARD -j REJECT. If the default policy is accept withnot any rules you can consider the firewall as disabled.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
Would be the better rule.
 
Old 05-21-2015, 08:01 PM   #5
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,403

Rep: Reputation: Disabled
Quote:
Originally Posted by coca0001 View Post
I'm trying to set up a Webserver, apache. And I'm confused which chain to set in IPTables. I hope'd someone could answer me a little more in detail, I've tryed googeling, but the answers were quite confusing for me, anyway here are the statement;

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

and

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
Regarding the first rule:
  • -p tcp will match any TCP packet, and allows one to specify a number of TCP-related suboptions (like --dport).
  • -m tcp does exactly the same as -p tcp, so one of those could safely be omitted.
  • the --dport suboption will match packets with a specified destination port number, in this case 80. 80 is the default port for HTTP traffic. Since this is the INPUT chain, a packet with a destination port number of 80 is an inbound packet to a local web server.
  • -j ACCEPT jumps to the ACCEPT target, which means the packet will be let through and no further processing will take place.
As for the second rule:
  • -m state means the rule will match a certain state. iptables is a stateful firewall, meaning it keeps track of open connections and is able to handle packets according to context, not just content.
  • the --state suboption lets you specify a number of different "states", one of which is NEW. NEW means the packet is the first packet of a new session or transport stream. For TCP that generally means a packet with the SYN flag set.
  • The target and the remaining conditions are identical to those in the first rule.
The first rule will match any TCP packet sent to destination port 80, be it a new packet or part of an ongoing session or even an invalid packet sent by an attacker.

The second rule, however, will only match the very first packet of a TCP transaction. Additional rules would be needed to handle the rest of the TCP session.
Quote:
Originally Posted by coca0001 View Post
And another question while I'm at it; In the start of IPTables I have;
-A INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
I'm pretty sure that first -A should be a -P.

-P sets the chain policy, meaning the catch-all rule that will apply to packets not matched by any other rule. Think of the policy as an invisible rule at the very bottom of the chain.
Quote:
Originally Posted by coca0001 View Post
Almost and the bottom of IPTables ther is a line;
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Is it the chain that will be matched if there is not hit prior to it? What would happen if this line wasn't there?
This rule has no conditions, just a target ("REJECT"). That means it will match any packet that gets this far down the chain without being caught by another rule. The "REJECT" target works much like "DROP", except that while "DROP" will silently discard the packet, "REJECT" sends an ICMP error message back to the sender.

If that rule wasn't there, packets not matched by the preceding rules would instead hit the chain policy.

Quote:
Originally Posted by coca0001 View Post
Below is an example output dump from the command 'iptables -S':
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A fail2ban-SSH -j RETURN

There seems to be two lines for the normal HTTP web server port which is
probably a configuration mistake. Explain the difference between the two
lines and what traffic they allow. (3p)
The first rule matching port 80 is the mistake, as it allows all packets that happen to be destined for TCP port 80. The second rule (the one with the --state NEW match) is the one you want.

I mentioned that this rule will only handle the very first TCP packet (the SYN packet). Once that packet has been received, iptables (or rather the netfilter firewall code) will create an entry in the state table, which means any subsequent packet belonging to the same virtual TCP connection will match the (currently) 3rd rule in the INPUT chain, the one matching the ESTABLISHED and RELATED states. TCP packets belonging to an active virtual connection are considered part of an ESTABLISHED session.

Quote:
Originally Posted by coca0001 View Post
c) Based on the output dump above, explain what happens when an incoming
TCP packet arrives (for a new incoming connection) for destination port 20.
(2p)
If it is indeed a new connection, it will travel down the INPUT chain until it reaches the general REJECT rule. None of the preceding rules match packets to TCP port 20.

However... I see that FTP traffic (TCP port 21) is allowed, and FTP uses TCP port 20 for data transfers. If the packet is a data connection to or from an FTP server, and the FTP ALG module is loaded, the ALG will have noticed the FTP "port" command in the command stream and will have created an entry in the state table. The TCP packet to port 20 will then be considered a RELATED packet, and thus be allowed by the first state rule.
Quote:
Originally Posted by coca0001 View Post
If I had the rule -P INPUT DROP, it would still work?
Yes, it would. You have manually inserted catch-all rules in the INPUT and FORWARD chains respectively, directing any non-matched packets to the REJECT target. Hence, no packets will ever be allowed to go past the bottom of the chain and hit the policy.
Quote:
Originally Posted by coca0001 View Post
I'm having a hard time to make out the diffrence between ACCEPT and DROP, but can you in a easy way say that ACCEPT allows every packet in, but you have to have a rule what you want to to with the packets, and if nothing matches it droppes? And DROP drops it, hand-off, if you don't specify a rule?
A policy of ACCEPT means you've created an "implicit accept" firewall; unless there's a specific rule blocking a packet, it will be allowed through. This is generally considered poor security practices, since an error in the ruleset can easily result in unwanted traffic passing unhindered through the firewall. For instance, disable the REJECT rule in your setup, and your firewall is basically useless.

A policy of DROP means you have implemented "implicit deny". You'll then need to create rules that explicitly allows any traffic you want to let through.
 
Old 05-22-2015, 02:17 PM   #6
coca0001
LQ Newbie
 
Registered: May 2015
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thanks you guys, I really appreciate the answers, really made me more comfortible is this situation, thats alot michaelk and Ser Olmy!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] IPtables : ssh port forwarding one port to another port issue routers Linux - Networking 5 07-24-2013 01:20 AM
[SOLVED]Basic If statments problem darkkatana Linux - Newbie 3 11-28-2012 06:55 AM
CentOS 5: iptables - cannot open port 80 and nat to port 8080 for Tomcat steve willett Linux - Networking 4 09-24-2010 05:03 AM
debian iptables squid - redirect port 80 to port 8080 on another machine nickleus Linux - Networking 1 08-17-2006 01:59 AM
Perm Routes and Arp Statments. Ox///M Linux - Networking 2 01-11-2002 06:29 AM


All times are GMT -5. The time now is 03:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration