LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   specifying the state for the iptables (http://www.linuxquestions.org/questions/linux-security-4/specifying-the-state-for-the-iptables-611127/)

adam_blackice 01-04-2008 10:29 AM

specifying the state for the iptables
 
hello all

i would ask about specifying the state of the connection for the iptables firewall if it was a NEW or ESTABLISHED or RELATED or even invalid so i want to ask if i made a script that will allow only a ESTABLISHED OR RELATED connection like this

Code:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
so my question is if i apply that to a server it will prevent any new connections ? or what i mean if it was a web or mail servers and this rule applied how clients can make a requests on this server and thanks for all

win32sux 01-04-2008 10:41 AM

Quote:

Originally Posted by adam_blackice (Post 3011156)
i would ask about specifying the state of the connection for the iptables firewall if it was a NEW or ESTABLISHED or RELATED or even invalid so i want to ask if i made a script that will allow only a ESTABLISHED OR RELATED connection like this

Code:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
so my question is if i apply that to a server it will prevent any new connections ? or what i mean if it was a web or mail servers and this rule applied how clients can make a requests on this server and thanks for all

The iptables rules don't apply to connections - they apply to packets. Yes, if you only had a rule like that in your INPUT chain, then no new connections could be started with your box. In order to make certain exceptions (as in your web/mail example), you simply append rules for the relevant packets in state NEW, which are the ones used to start a connection. Example:
Code:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP --dport 25 -m state --state NEW -j ACCEPT

In this example, only incoming connections to our web and mail servers are allowed.

NOTE: The second rule allows all traffic on the loopback interface.

adam_blackice 01-05-2008 12:24 AM

really thanks i got you now =)

:) but i want a clarification about

Quote:

iptables -A INPUT -i lo -j ACCEPT
generally what kind of connection server will accept from it self , itis a sort of if it a DNS server it will resolve from it self or what ? .

win32sux 01-05-2008 10:52 AM

Quote:

Originally Posted by adam_blackice (Post 3011960)
generally what kind of connection server will accept from it self

Well, for example, a LAMP server will almost always have the MySQL database server listening exclusively on localhost.

adam_blackice 01-08-2008 09:27 AM

Really thanks and tahnk u very much for your great support :) :- last question and iam very confused about -- :D i know i annoyed you but promise itis last one

while i was reading in a MCgraw Hill book for fedora and RHEL in the iptables section i found this rule : -

Code:

  # allow communication to the Web server (address 10.0.0.2), port www
iptables -A INPUT -j ACCEPT -p tcp -i eth0 --dport www -s 10.0.0.2

in this example i have a 10.0.0.2 as a web server and i want to restrict access to all the server from outside except port 80 (www) . the issue that makes me so confused is the option of -s i think it should be -d because the INPUT rule is related to the traffic destined to host so the traffic will be destined to the web server ?. so any clarification about my issue cause it made me so hesitated :S

Regards

win32sux 01-08-2008 11:42 AM

Quote:

Originally Posted by adam_blackice (Post 3015540)
Code:

  # allow communication to the Web server (address 10.0.0.2), port www
iptables -A INPUT -j ACCEPT -p tcp -i eth0 --dport www -s 10.0.0.2

in this example i have a 10.0.0.2 as a web server and i want to restrict access to all the server from outside except port 80 (www) . the issue that makes me so confused is the option of -s i think it should be -d because the INPUT rule is related to the traffic destined to host so the traffic will be destined to the web server ?. so any clarification about my issue cause it made me so hesitated :S

This rule you've posted would only let IP 10.0.0.2 connect to the Web server. In other words, the client would need to have that IP. If, however, this is the IP of the server, then a "-d" should have been used instead. In fact, if this is the server's only IP then you don't even need to specify the IP, as packets which have a different IP as a destination won't traverse the INPUT chain anyways - they will traverse the FORWARD one.

adam_blackice 01-08-2008 01:18 PM

really thanks you are right i was making sure of that because that book specify 10.0.0.2 as the address of the web server so i got confused about the "-s" option and over all you was great and really helpful :) thanks again


All times are GMT -5. The time now is 04:59 PM.