LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Confused about iptables --state switch (http://www.linuxquestions.org/questions/linux-security-4/confused-about-iptables-state-switch-719891/)

oasisbhrnw99 04-17-2009 12:30 PM

Confused about iptables --state switch
 
Hi all,

I am new to iptables and while looking at examples online about configuring it I noticed some people use the --state NEW switch in their configs a lot and other don't. For instance, if I am going to allow ssh to my firewall I could do it as:

1. iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Or

2. iptables -A INPUT -m state --state NEW --dport 22 -j ACCEPT

I know the NEW stands for new connections but is there a benefit or any difference at all?

Any help is appreciated, thanks.

win32sux 04-17-2009 02:31 PM

Quote:

Originally Posted by oasisbhrnw99 (Post 3512417)
I know the NEW stands for new connections but

No, it doesn't. It stands for "packet in state NEW".

Quote:

is there a benefit or any difference at all?
If you don't specify the state, you are allowing packets in state INVALID to be sent to ACCEPT. That said, state matching is kind of the point of using a stateful packet filter in the first place, so it's kind of a waste IMHO to not put it to use.

slimm609 04-17-2009 03:39 PM

a little more detail. In a tcp session you have a 3 way connection.

syn, syn/ack, and ack.


when you put in --state new it means that the connection has to be in the syn state when they first try to connect.

it keeps track of sessions so it only matters in the begining of the connection.


short description- users can't act like a connection was already in session by sending an ack or a syn/ack right from the start.

win32sux 04-17-2009 03:50 PM

Quote:

Originally Posted by slimm609 (Post 3512605)
when you put in --state new it means that the connection has to be in the syn state when they first try to connect.

For a packet to be in state NEW it doesn't need to be a SYN packet. It just needs to lack a corresponding entry in the state table. If you want to match against a SYN packet specifically, you're gonna need to use the --syn match. In fact, for rules applying to TCP packets it's a good idea to use both, like:
Code:

iptables -A INPUT -p TCP --dport 22 --syn -m state --state NEW -j ACCEPT
This way, a higher degree of sanity checking is obtained. Of course, this shouldn't be done if the service in question really does have a need for TCP packets in state NEW which aren't SYN.


All times are GMT -5. The time now is 09:16 AM.