A question about iptables and connection tracking...
On my CentOS 5.4 box I run dns, ssh, and smtp servers. This box also has to be able to resolve and browse websites.
So basically it needs iptable rules for TCP 22 25 80 443 UDP 53 My question is, which of these services work nicely with connection tracking? I'm a little confused about how connection tracking works. For example say this iptables rule for smtp Code:
iptables -A INPUT -s 0/0 --sport 513:65535 -d $myip --dport 25 -j ACCEPT Code:
iptables -A INPUT -s 0/0 --sport 513:65535 -d $myip --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT Also for centos is that port range correct? 2.6 Linux kernel randomly chooses a port 513-65535 when it connects to an external smtp server or say browses a site. |
simply put, what connection tracking does (NEW, ESTABLISHED), is if the remote party requires an extra random incoming connection on your side to be allowed, iptables will open this extra connection for you on your side, between you and the remote service only. See it as a dynamic firewalling system, that detects requests done by applications, to openup additional ports for that program to function properly. (e.g. Passive FTP is a good example of this. When you successfuly connect/authenticate to a FTP server that is running in passive mode, that server requests a random data port to be used for transfers, between you and the server. Without tracking, you have to manually open up that port, for it to funtion. With connection tracking, it goes fully automatic. Also connection tracking helps with NAT setups.
|
Nice that explains it perfectly, thank you.
|
Could you give a few examples of this. Like which protocols will open a new connection under a different port?
|
bump
|
As teebones said, check out ftp http://slacksite.com/other/ftp.html
BTW, DNS will use TCP for certain queries, so you'll need to allow TCP 53 as well. http://linux.die.net/man/1/dig |
Here is more detail on the 5 Connection Types. There is a lot more information on that page about IPTABLES.
I for one would have my first rule being an ESTABLISHED,RELATED rule that way your rules don't have to be read for every packet that arrives. Here is a simple rule set for your input; Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT You should adjust these rule to work for your system. |
connection tracking modules
I seem to recall a few weeks a go when experimenting with an ftp server, my firewall was okay, but I had to
Code:
modprobe nf_conntrack_ftp Other connection tracking modules (in case the reference helps): ./kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko ./kernel/net/netfilter/nf_conntrack_proto_udplite.ko ./kernel/net/netfilter/nf_conntrack_netbios_ns.ko ./kernel/net/netfilter/nf_conntrack_ftp.ko ./kernel/net/netfilter/nf_conntrack_pptp.ko ./kernel/net/netfilter/nf_conntrack_amanda.ko ./kernel/net/netfilter/nf_conntrack_proto_gre.ko ./kernel/net/netfilter/nf_conntrack_irc.ko ./kernel/net/netfilter/nf_conntrack_h323.ko ./kernel/net/netfilter/nf_conntrack_proto_sctp.ko ./kernel/net/netfilter/nf_conntrack.ko ./kernel/net/netfilter/nf_conntrack_sane.ko ./kernel/net/netfilter/nf_conntrack_netlink.ko ./kernel/net/netfilter/nf_conntrack_proto_dccp.ko ./kernel/net/netfilter/nf_conntrack_tftp.ko ./kernel/net/netfilter/xt_conntrack.ko ./kernel/net/netfilter/nf_conntrack_sip.ko ./kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko |
Good stuff. I wanted to ask for any recommendations on my iptables INPUT rules. I have a feeling my current setup makes my server more prone to DOS attacks simply because of all the connection tracking going on.
# INPUT $IP -A INPUT -i lo -p all -j ACCEPT $IP -A INPUT -p icmp -j ACCEPT $IP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT $IP -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT $IP -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT $IP -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT $IP -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT $IP -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT $IP -A INPUT -p tcp --dport 123 -m state --state NEW -j ACCEPT // network time protocol daemon $IP -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT $IP -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT $IP -A INPUT -j DROP Which of these ports absolutely require connection tracking? |
If you read my link above to the FTP explanation, you'll come across this
Quote:
Incidentally, I'd recommend using a default policy rather than a rule to drop unwanted cxns; see post #1 http://www.linuxquestions.org/questi...policy-179408/ |
Quote:
I would also not just except ICMP packets blindly as you do above. Have a look at This Site to help decide which messages from ICMP you need to allow. |
All times are GMT -5. The time now is 03:42 AM. |