-   Linux - Security (
-   -   iptables - Is it necessary to use the NEW state match? (

savona 05-03-2011 04:46 PM

iptables - Is it necessary to use the NEW state match?
I am looking to learn more about netfilter/iptables. I have been reading a lot of different documents online and I notice that some people open a port like this:

(using http as an example)

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

While other use the state match like so:

iptables -I INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT

My question is, why do I need to use the state new here? I understand that the NEW mean a new connection, and I understand the use of ESTABLISHED, RELATED. But is the NEW needed here? What is the working difference between the two statements above?

acid_kewpie 05-03-2011 04:59 PM

Well it's fundamentally that the connection might not be new... you could receive all sorts of crap trying to exploit your rule base and systems behind it. You have new connections, you have ones you already know about and trust, but you have the third category of "other shit" and if you don't use the NEW state you'll let in all that other rubbish.

unSpawn 05-03-2011 07:13 PM

...and in addition to that here's another explanation:

savona 05-04-2011 10:22 AM

Thanks for the info. I will continue to read.

All times are GMT -5. The time now is 11:29 PM.