LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-17-2009, 12:30 PM   #1
oasisbhrnw99
Member
 
Registered: May 2004
Posts: 43

Rep: Reputation: 15
Confused about iptables --state switch


Hi all,

I am new to iptables and while looking at examples online about configuring it I noticed some people use the --state NEW switch in their configs a lot and other don't. For instance, if I am going to allow ssh to my firewall I could do it as:

1. iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Or

2. iptables -A INPUT -m state --state NEW --dport 22 -j ACCEPT

I know the NEW stands for new connections but is there a benefit or any difference at all?

Any help is appreciated, thanks.
 
Old 04-17-2009, 02:31 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by oasisbhrnw99 View Post
I know the NEW stands for new connections but
No, it doesn't. It stands for "packet in state NEW".

Quote:
is there a benefit or any difference at all?
If you don't specify the state, you are allowing packets in state INVALID to be sent to ACCEPT. That said, state matching is kind of the point of using a stateful packet filter in the first place, so it's kind of a waste IMHO to not put it to use.
 
Old 04-17-2009, 03:39 PM   #3
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
a little more detail. In a tcp session you have a 3 way connection.

syn, syn/ack, and ack.


when you put in --state new it means that the connection has to be in the syn state when they first try to connect.

it keeps track of sessions so it only matters in the begining of the connection.


short description- users can't act like a connection was already in session by sending an ack or a syn/ack right from the start.
 
Old 04-17-2009, 03:50 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by slimm609 View Post
when you put in --state new it means that the connection has to be in the syn state when they first try to connect.
For a packet to be in state NEW it doesn't need to be a SYN packet. It just needs to lack a corresponding entry in the state table. If you want to match against a SYN packet specifically, you're gonna need to use the --syn match. In fact, for rules applying to TCP packets it's a good idea to use both, like:
Code:
iptables -A INPUT -p TCP --dport 22 --syn -m state --state NEW -j ACCEPT
This way, a higher degree of sanity checking is obtained. Of course, this shouldn't be done if the service in question really does have a need for TCP packets in state NEW which aren't SYN.

Last edited by win32sux; 04-17-2009 at 04:07 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
specifying the state for the iptables adam_blackice Linux - Security 6 01-08-2008 01:18 PM
not work: iptables -I INPUT 5 -m state --state NEW -m tcp -p tcp --dport 3306 -j DROP abefroman Linux - Security 1 07-18-2007 08:19 AM
shell got confused with iptables ... ilnli Linux - Security 1 02-09-2005 09:10 PM
iptables state module not loaded error rnj Fedora 2 10-28-2004 11:33 PM
BitTorrent + iptables = a confused me GT_Onizuka Linux - Newbie 4 08-28-2003 04:50 PM


All times are GMT -5. The time now is 01:05 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration