LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-03-2011, 04:46 PM   #1
savona
Member
 
Registered: Mar 2011
Location: Bellmawr, NJ
Distribution: Red Hat / Fedora
Posts: 194

Rep: Reputation: 50
iptables - Is it necessary to use the NEW state match?


I am looking to learn more about netfilter/iptables. I have been reading a lot of different documents online and I notice that some people open a port like this:

(using http as an example)

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

While other use the state match like so:

iptables -I INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT

My question is, why do I need to use the state new here? I understand that the NEW mean a new connection, and I understand the use of ESTABLISHED, RELATED. But is the NEW needed here? What is the working difference between the two statements above?
 
Old 05-03-2011, 04:59 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Well it's fundamentally that the connection might not be new... you could receive all sorts of crap trying to exploit your rule base and systems behind it. You have new connections, you have ones you already know about and trust, but you have the third category of "other shit" and if you don't use the NEW state you'll let in all that other rubbish.
 
Old 05-03-2011, 07:13 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957
...and in addition to that here's another explanation: http://www.faqs.org/docs/iptables/newnotsyn.html
 
Old 05-04-2011, 10:22 AM   #4
savona
Member
 
Registered: Mar 2011
Location: Bellmawr, NJ
Distribution: Red Hat / Fedora
Posts: 194

Original Poster
Rep: Reputation: 50
Thanks for the info. I will continue to read.
 
  


Reply

Tags
iptables, netfilter, state


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set deadeyes Linux - Server 14 07-29-2009 05:30 AM
specifying the state for the iptables adam_blackice Linux - Security 6 01-08-2008 02:18 PM
not work: iptables -I INPUT 5 -m state --state NEW -m tcp -p tcp --dport 3306 -j DROP abefroman Linux - Security 1 07-18-2007 09:19 AM
IPTABLES with UNCLEAN match ALInux Linux - Networking 0 08-11-2006 12:22 PM
iptables string match kahpeetan Linux - Security 3 11-09-2003 07:36 PM


All times are GMT -5. The time now is 08:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration