Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i have a machine acting as a gateway and connected to internal and external network. Firstly i need to allow only http and smtp services to the external netwrok, bcoz i have appache running on one of internal network . How do i do that????
secondly what does ESTABLISHED RELATED and NEW mean. i have been reading about this on the web and could hardly understand the need. can someone make me clear about this with example if possible.
Regards,
Gautam
Center for information and Netwrok Security
To block off all unwanted connections:
# Allow http
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow smtp
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
# Drop everything else
iptables -P INPUT DROP
ESTABLISHED RELATED and NEW are connection states - you can use them to say that only certain types of connction are allowed to pass through a rules table.
It's particularly usefull in the ftp passive mode, it actually know the state of a connexion.
control channel
on port 21 you write your two rules, with new and established
data channel
on >1024 port you write your two rules with related and established
Related means that another connexion has been previously opened.
You'll find many exemples about this on the internet.
Another exemple is
# Allow you to connect to http servers
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
Imagine you just open this on your machine, some may think they are protected from scans because they block all incomming ports except the ones from remote port 80 because you need to accept dialog with the http server.
But imagine the evil guy specifies his source port as 80 to scan your machine, then it's like you didn't have any firewall.
Solution :
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT #This is the first rule used when the connection is opened
So now if someone scans from port 80, packets will be droped because no connexion would have been previously opened to match this rule
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
If it doesn't make sense it might be my english and/or read more documentation about this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.