LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-08-2005, 10:23 PM   #1
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Rep: Reputation: 30
Stateful Packet Inspection Firewall (How could I tell)??


By looking at this firewall script (Or IPtables), could someone please tell me if this is a Stateful Packet Inspection firewall IPtable??

If its not, could someone please post a powerful Stateful Packet Inspection Iptables firewall for me please??? I would appreciate it since I can't grasp the concept of IPtables.

Please note: That I am using the computer ONLY for emails and basic Internet surfing. Thats all. All of my Network Servers like Samba/Apache are all disabled under Services. Its a stand-alone computer. So, all I need is a Stateful Packet Inspection firewall code, if someone is kind enough to post it for me. Thank You!!! I REALLY NEED A STATEFUL PACKET INSPECTION code. I really really wish. Please, I would highly appreciate it.
======================================

Here is the current firewall script that Im running below: And by looking at this current code, could someone here tell me if this is a Stateful Packet Inspection IPtable???


Code:
#PROC SETTINGS 
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts    #Block pings to broadcast IP (smurf)
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians          #Log non-routable IPs
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route   #Block source-routed packets

iptables -F
iptables -t nat -F
iptables -X
iptables -Z
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

#DROP BAD PACKETS
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP      #DROP NEW NOT SYN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP       #DROP SYN-FIN SCANS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP       #DROP SYN-RST SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP       #DROP X-MAS SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP               #DROP NMAP FIN SCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP              #DROP NULL SCANS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP               #DROP ALL/ALL SCANS

#LOG AND DROP IANA RESERVED/BOGONS
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Last edited by wardialer; 02-08-2005 at 10:30 PM.
 
Old 02-09-2005, 09:16 AM   #2
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
I guess know one knows. This must be a forum for professional Linux users????
 
Old 02-09-2005, 11:21 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Iptables uses statefull packet inspection. The fact that your script has rules filtering by connection states (NEW, ESTABLISHED, RELATED) in multiple rules indicates that your firewall is already doing statefull filtering. In fact the ruleset you posted relies almost entirely on statefull inspection (it basically only allows connections that you initiate, so incoming packets must be part of an established connection). A non-statefull firewall can't track connection states and use other mechanisms, like classifying all ACK packets as part of an established connection, regardless of whether a SYN was previously received or not.

Last edited by Capt_Caveman; 02-09-2005 at 11:25 AM.
 
Old 02-09-2005, 01:05 PM   #4
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Ok thanks alot. I really appreciate it.

But could you please confirm me one more time that the code that I posted (which I am using now) on here does Stateful Packet Inspection?
And that code what I posted above, how can I tell that its using Stateful Packet Inspection???

Please explain.
 
Old 02-09-2005, 01:11 PM   #5
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,744

Rep: Reputation: 71
You might want to read this.
http://en.wikipedia.org/wiki/Stateful_firewall

As Capt_Caveman said, Netfilters (iiptables) is a stateful packet filter. Basically a stateful firewall examinse each packet and deterimne whether they are legit or not.
 
Old 02-09-2005, 01:22 PM   #6
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,744

Rep: Reputation: 71
Here are 2 examples in your code.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP #DROP NEW NOT SYN
 
Old 02-09-2005, 01:27 PM   #7
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Thanks I got it. I really thank you very much for your help.

I appologize, even I had read numerous manuals about the Linux firewall, I still do not or cannot grasp it in my head. Its very complicated.... But I will try my best to resolve this.

Last edited by wardialer; 02-09-2005 at 01:41 PM.
 
Old 02-09-2005, 10:01 PM   #8
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
I found a very good article on how these things actually work. VERY VERY great article. It explains everything in detail.

Take a look:

http://www.samag.com/documents/s=176...112a/0112a.htm
 
Old 02-10-2005, 07:54 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Also see:
http://www.sns.ias.edu/~jns/security...conntrack.html
 
Old 02-10-2005, 09:11 PM   #10
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
The firewall script that I posted above (Post#1), is that a Stateful Packet Inspection firewall script? Please confirm on more time please, I would appreciate it.

And remember, I want to use this script for Dial-Up and DSL connections....

Last edited by wardialer; 02-13-2005 at 02:06 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is iptables/netfilter stateful inspection firewall ? newbieA Linux - Security 3 02-11-2005 08:32 PM
packet filter firewall naveenpurswani Programming 2 03-29-2004 02:54 PM
Firewall with deep inspection Baltasar Linux - Networking 3 02-22-2004 09:07 PM
Is router plus stateful firewall enough? jxi Linux - Security 3 10-04-2003 08:22 AM
stateful packet inspection estranged0877 Linux - Security 1 01-28-2003 06:05 PM


All times are GMT -5. The time now is 09:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration