LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   A question about iptables and connection tracking... (https://www.linuxquestions.org/questions/linux-newbie-8/a-question-about-iptables-and-connection-tracking-851092/)

trist007 12-18-2010 12:55 PM
A question about iptables and connection tracking...
 
On my CentOS 5.4 box I run dns, ssh, and smtp servers. This box also has to be able to resolve and browse websites.

So basically it needs iptable rules for

TCP 22 25 80 443
UDP 53

My question is, which of these services work nicely with connection tracking?

I'm a little confused about how connection tracking works.

For example say this iptables rule for smtp
Code:
iptables -A INPUT -s 0/0 --sport 513:65535 -d $myip --dport 25 -j ACCEPT
versus
Code:
iptables -A INPUT -s 0/0 --sport 513:65535 -d $myip --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
So with connection tracking what exactly does it do that my first iptables rule does not do?

Also for centos is that port range correct? 2.6 Linux kernel randomly chooses a port 513-65535 when it connects to an external smtp server or say browses a site.

teebones 12-19-2010 07:17 AM
simply put, what connection tracking does (NEW, ESTABLISHED), is if the remote party requires an extra random incoming connection on your side to be allowed, iptables will open this extra connection for you on your side, between you and the remote service only. See it as a dynamic firewalling system, that detects requests done by applications, to openup additional ports for that program to function properly. (e.g. Passive FTP is a good example of this. When you successfuly connect/authenticate to a FTP server that is running in passive mode, that server requests a random data port to be used for transfers, between you and the server. Without tracking, you have to manually open up that port, for it to funtion. With connection tracking, it goes fully automatic. Also connection tracking helps with NAT setups.

trist007 12-21-2010 10:17 PM
Nice that explains it perfectly, thank you.

trist007 01-02-2011 09:44 AM
Could you give a few examples of this. Like which protocols will open a new connection under a different port?

trist007 01-04-2011 12:35 PM
bump

chrism01 01-04-2011 06:35 PM
As teebones said, check out ftp http://slacksite.com/other/ftp.html
BTW, DNS will use TCP for certain queries, so you'll need to allow TCP 53 as well.
http://linux.die.net/man/1/dig

lazydog 01-05-2011 02:12 PM
Here is more detail on the 5 Connection Types. There is a lot more information on that page about IPTABLES.

I for one would have my first rule being an ESTABLISHED,RELATED rule that way your rules don't have to be read for every packet that arrives.

Here is a simple rule set for your input;
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 442 -m state --state NEW -j ACCEPT
iptables -A INPUT -j DROP
Since you will be using both UDP and TCP for DNS (53) there is no reason to create 2 rules.
You should adjust these rule to work for your system.

Andy Alt 01-06-2011 12:43 AM
connection tracking modules
 
I seem to recall a few weeks a go when experimenting with an ftp server, my firewall was okay, but I had to
Code:
modprobe nf_conntrack_ftp
before I could receive an incoming connection. I imagine that module is built into kernels on some distributions, and wouldn't be necessary in every case.

Other connection tracking modules (in case the reference helps):

./kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko
./kernel/net/netfilter/nf_conntrack_proto_udplite.ko
./kernel/net/netfilter/nf_conntrack_netbios_ns.ko
./kernel/net/netfilter/nf_conntrack_ftp.ko
./kernel/net/netfilter/nf_conntrack_pptp.ko
./kernel/net/netfilter/nf_conntrack_amanda.ko
./kernel/net/netfilter/nf_conntrack_proto_gre.ko
./kernel/net/netfilter/nf_conntrack_irc.ko
./kernel/net/netfilter/nf_conntrack_h323.ko
./kernel/net/netfilter/nf_conntrack_proto_sctp.ko
./kernel/net/netfilter/nf_conntrack.ko
./kernel/net/netfilter/nf_conntrack_sane.ko
./kernel/net/netfilter/nf_conntrack_netlink.ko
./kernel/net/netfilter/nf_conntrack_proto_dccp.ko
./kernel/net/netfilter/nf_conntrack_tftp.ko
./kernel/net/netfilter/xt_conntrack.ko
./kernel/net/netfilter/nf_conntrack_sip.ko
./kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko

trist007 01-20-2011 11:33 AM
Good stuff. I wanted to ask for any recommendations on my iptables INPUT rules. I have a feeling my current setup makes my server more prone to DOS attacks simply because of all the connection tracking going on.

# INPUT
$IP -A INPUT -i lo -p all -j ACCEPT
$IP -A INPUT -p icmp -j ACCEPT
$IP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IP -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 123 -m state --state NEW -j ACCEPT // network time protocol daemon
$IP -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
$IP -A INPUT -j DROP

Which of these ports absolutely require connection tracking?

chrism01 01-20-2011 08:03 PM
If you read my link above to the FTP explanation, you'll come across this
Quote:
FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.
See also post #2 by teebones.

Incidentally, I'd recommend using a default policy rather than a rule to drop unwanted cxns; see post #1 http://www.linuxquestions.org/questi...policy-179408/

lazydog 01-25-2011 07:56 PM
Quote:
Originally Posted by trist007 (Post 4231860)
Good stuff. I wanted to ask for any recommendations on my iptables INPUT rules. I have a feeling my current setup makes my server more prone to DOS attacks simply because of all the connection tracking going on.

# INPUT
$IP -A INPUT -i lo -p all -j ACCEPT
$IP -A INPUT -p icmp -j ACCEPT
$IP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IP -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 123 -m state --state NEW -j ACCEPT // network time protocol daemon
$IP -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
$IP -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
$IP -A INPUT -j DROP

Which of these ports absolutely require connection tracking?
They all do. You should not mix Stateful and Non-Stateful firewall rules.

I would also not just except ICMP packets blindly as you do above.
Have a look at This Site to help decide which messages from ICMP you need to allow.


All times are GMT -5. The time now is 03:42 AM.