LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-04-2008, 10:29 AM   #1
adam_blackice
Member
 
Registered: Apr 2006
Location: /*Egypt */ //cairo
Distribution: Ubuntu 7.04 , SLED 10 , Fedora , RHEL 5
Posts: 312

Rep: Reputation: 32
specifying the state for the iptables


hello all

i would ask about specifying the state of the connection for the iptables firewall if it was a NEW or ESTABLISHED or RELATED or even invalid so i want to ask if i made a script that will allow only a ESTABLISHED OR RELATED connection like this

Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
so my question is if i apply that to a server it will prevent any new connections ? or what i mean if it was a web or mail servers and this rule applied how clients can make a requests on this server and thanks for all
 
Old 01-04-2008, 10:41 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by adam_blackice View Post
i would ask about specifying the state of the connection for the iptables firewall if it was a NEW or ESTABLISHED or RELATED or even invalid so i want to ask if i made a script that will allow only a ESTABLISHED OR RELATED connection like this

Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
so my question is if i apply that to a server it will prevent any new connections ? or what i mean if it was a web or mail servers and this rule applied how clients can make a requests on this server and thanks for all
The iptables rules don't apply to connections - they apply to packets. Yes, if you only had a rule like that in your INPUT chain, then no new connections could be started with your box. In order to make certain exceptions (as in your web/mail example), you simply append rules for the relevant packets in state NEW, which are the ones used to start a connection. Example:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP --dport 25 -m state --state NEW -j ACCEPT
In this example, only incoming connections to our web and mail servers are allowed.

NOTE: The second rule allows all traffic on the loopback interface.
 
Old 01-05-2008, 12:24 AM   #3
adam_blackice
Member
 
Registered: Apr 2006
Location: /*Egypt */ //cairo
Distribution: Ubuntu 7.04 , SLED 10 , Fedora , RHEL 5
Posts: 312

Original Poster
Rep: Reputation: 32
really thanks i got you now =)

but i want a clarification about

Quote:
iptables -A INPUT -i lo -j ACCEPT
generally what kind of connection server will accept from it self , itis a sort of if it a DNS server it will resolve from it self or what ? .

Last edited by adam_blackice; 01-05-2008 at 12:31 AM.
 
Old 01-05-2008, 10:52 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by adam_blackice View Post
generally what kind of connection server will accept from it self
Well, for example, a LAMP server will almost always have the MySQL database server listening exclusively on localhost.
 
Old 01-08-2008, 09:27 AM   #5
adam_blackice
Member
 
Registered: Apr 2006
Location: /*Egypt */ //cairo
Distribution: Ubuntu 7.04 , SLED 10 , Fedora , RHEL 5
Posts: 312

Original Poster
Rep: Reputation: 32
Really thanks and tahnk u very much for your great support :- last question and iam very confused about -- i know i annoyed you but promise itis last one

while i was reading in a MCgraw Hill book for fedora and RHEL in the iptables section i found this rule : -

Code:
  # allow communication to the Web server (address 10.0.0.2), port www
iptables -A INPUT -j ACCEPT -p tcp -i eth0 --dport www -s 10.0.0.2
in this example i have a 10.0.0.2 as a web server and i want to restrict access to all the server from outside except port 80 (www) . the issue that makes me so confused is the option of -s i think it should be -d because the INPUT rule is related to the traffic destined to host so the traffic will be destined to the web server ?. so any clarification about my issue cause it made me so hesitated :S

Regards
 
Old 01-08-2008, 11:42 AM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by adam_blackice View Post
Code:
  # allow communication to the Web server (address 10.0.0.2), port www
iptables -A INPUT -j ACCEPT -p tcp -i eth0 --dport www -s 10.0.0.2
in this example i have a 10.0.0.2 as a web server and i want to restrict access to all the server from outside except port 80 (www) . the issue that makes me so confused is the option of -s i think it should be -d because the INPUT rule is related to the traffic destined to host so the traffic will be destined to the web server ?. so any clarification about my issue cause it made me so hesitated :S
This rule you've posted would only let IP 10.0.0.2 connect to the Web server. In other words, the client would need to have that IP. If, however, this is the IP of the server, then a "-d" should have been used instead. In fact, if this is the server's only IP then you don't even need to specify the IP, as packets which have a different IP as a destination won't traverse the INPUT chain anyways - they will traverse the FORWARD one.
 
Old 01-08-2008, 01:18 PM   #7
adam_blackice
Member
 
Registered: Apr 2006
Location: /*Egypt */ //cairo
Distribution: Ubuntu 7.04 , SLED 10 , Fedora , RHEL 5
Posts: 312

Original Poster
Rep: Reputation: 32
really thanks you are right i was making sure of that because that book specify 10.0.0.2 as the address of the web server so i got confused about the "-s" option and over all you was great and really helpful thanks again
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
not work: iptables -I INPUT 5 -m state --state NEW -m tcp -p tcp --dport 3306 -j DROP abefroman Linux - Security 1 07-18-2007 08:19 AM
LXer: State by state, Microsoft responds to creeping threat LXer Syndicated Linux News 0 05-01-2007 07:16 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
Greetings from NY State npaladin2000 LinuxQuestions.org Member Intro 3 08-05-2005 05:56 AM
iptables state module not loaded error rnj Fedora 2 10-28-2004 11:33 PM


All times are GMT -5. The time now is 09:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration