LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-03-2011, 03:46 PM   #1
savona
Member
 
Registered: Mar 2011
Location: Bellmawr, NJ
Distribution: Red Hat / Fedora
Posts: 194

Rep: Reputation: 50
iptables - Is it necessary to use the NEW state match?


I am looking to learn more about netfilter/iptables. I have been reading a lot of different documents online and I notice that some people open a port like this:

(using http as an example)

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

While other use the state match like so:

iptables -I INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT

My question is, why do I need to use the state new here? I understand that the NEW mean a new connection, and I understand the use of ESTABLISHED, RELATED. But is the NEW needed here? What is the working difference between the two statements above?
 
Old 05-03-2011, 03:59 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
Well it's fundamentally that the connection might not be new... you could receive all sorts of crap trying to exploit your rule base and systems behind it. You have new connections, you have ones you already know about and trust, but you have the third category of "other shit" and if you don't use the NEW state you'll let in all that other rubbish.
 
Old 05-03-2011, 06:13 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,319
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
...and in addition to that here's another explanation: http://www.faqs.org/docs/iptables/newnotsyn.html
 
Old 05-04-2011, 09:22 AM   #4
savona
Member
 
Registered: Mar 2011
Location: Bellmawr, NJ
Distribution: Red Hat / Fedora
Posts: 194

Original Poster
Rep: Reputation: 50
Thanks for the info. I will continue to read.
 
  


Reply

Tags
iptables, netfilter, state


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set deadeyes Linux - Server 14 07-29-2009 04:30 AM
specifying the state for the iptables adam_blackice Linux - Security 6 01-08-2008 01:18 PM
not work: iptables -I INPUT 5 -m state --state NEW -m tcp -p tcp --dport 3306 -j DROP abefroman Linux - Security 1 07-18-2007 08:19 AM
IPTABLES with UNCLEAN match ALInux Linux - Networking 0 08-11-2006 11:22 AM
iptables string match kahpeetan Linux - Security 3 11-09-2003 06:36 PM


All times are GMT -5. The time now is 05:59 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration