LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Stateful Packet Inspection Firewall (How could I tell)?? (https://www.linuxquestions.org/questions/linux-security-4/stateful-packet-inspection-firewall-how-could-i-tell-287939/)

wardialer 02-08-2005 10:23 PM
Stateful Packet Inspection Firewall (How could I tell)??
 
By looking at this firewall script (Or IPtables), could someone please tell me if this is a Stateful Packet Inspection firewall IPtable??

If its not, could someone please post a powerful Stateful Packet Inspection Iptables firewall for me please??? I would appreciate it since I can't grasp the concept of IPtables.

Please note: That I am using the computer ONLY for emails and basic Internet surfing. Thats all. All of my Network Servers like Samba/Apache are all disabled under Services. Its a stand-alone computer. So, all I need is a Stateful Packet Inspection firewall code, if someone is kind enough to post it for me. Thank You!!! I REALLY NEED A STATEFUL PACKET INSPECTION code. I really really wish. Please, I would highly appreciate it.
======================================

Here is the current firewall script that Im running below: And by looking at this current code, could someone here tell me if this is a Stateful Packet Inspection IPtable???


Code:
#PROC SETTINGS
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts    #Block pings to broadcast IP (smurf)
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians          #Log non-routable IPs
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route  #Block source-routed packets

iptables -F
iptables -t nat -F
iptables -X
iptables -Z
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

#DROP BAD PACKETS
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP      #DROP NEW NOT SYN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP      #DROP SYN-FIN SCANS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP      #DROP SYN-RST SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP      #DROP X-MAS SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP              #DROP NMAP FIN SCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP              #DROP NULL SCANS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP              #DROP ALL/ALL SCANS

#LOG AND DROP IANA RESERVED/BOGONS
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

wardialer 02-09-2005 09:16 AM
I guess know one knows. This must be a forum for professional Linux users????

Capt_Caveman 02-09-2005 11:21 AM
Iptables uses statefull packet inspection. The fact that your script has rules filtering by connection states (NEW, ESTABLISHED, RELATED) in multiple rules indicates that your firewall is already doing statefull filtering. In fact the ruleset you posted relies almost entirely on statefull inspection (it basically only allows connections that you initiate, so incoming packets must be part of an established connection). A non-statefull firewall can't track connection states and use other mechanisms, like classifying all ACK packets as part of an established connection, regardless of whether a SYN was previously received or not.

wardialer 02-09-2005 01:05 PM
Ok thanks alot. I really appreciate it.

But could you please confirm me one more time that the code that I posted (which I am using now) on here does Stateful Packet Inspection?
And that code what I posted above, how can I tell that its using Stateful Packet Inspection???

Please explain.

tangle 02-09-2005 01:11 PM
You might want to read this.
http://en.wikipedia.org/wiki/Stateful_firewall

As Capt_Caveman said, Netfilters (iiptables) is a stateful packet filter. Basically a stateful firewall examinse each packet and deterimne whether they are legit or not.

tangle 02-09-2005 01:22 PM
Here are 2 examples in your code.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP #DROP NEW NOT SYN

wardialer 02-09-2005 01:27 PM
Thanks I got it. I really thank you very much for your help.

I appologize, even I had read numerous manuals about the Linux firewall, I still do not or cannot grasp it in my head. Its very complicated.... But I will try my best to resolve this.

wardialer 02-09-2005 10:01 PM
I found a very good article on how these things actually work. VERY VERY great article. It explains everything in detail.

Take a look:

http://www.samag.com/documents/s=176...112a/0112a.htm

Capt_Caveman 02-10-2005 07:54 PM
Also see:
http://www.sns.ias.edu/~jns/security...conntrack.html

wardialer 02-10-2005 09:11 PM
The firewall script that I posted above (Post#1), is that a Stateful Packet Inspection firewall script? Please confirm on more time please, I would appreciate it.

And remember, I want to use this script for Dial-Up and DSL connections....


All times are GMT -5. The time now is 10:09 PM.