Re: ESTABILISHED connections are not that estabilished

Gioele Barabucci <dev@xxxxxxxxxxxxxxxxxxx> · Thu, 28 Jul 2005 11:52:15 +0200



Gioele Barabucci wrote:
> In my logs I often find reports of dropped input packets from my DNS:53 or
> dropped output packets generated from localhost:25 to other mail servers.
> Why are these packets dropped?
I attach my simple iptables rules

  iptables -F
  iptables -X
  
  echo "Default policies"
  iptables -P INPUT DROP
  iptables -P OUTPUT DROP
  iptables -P FORWARD DROP # just for fun, I don't do any routing
  
  echo "Exceptions for OUTPUT"
  iptables -A OUTPUT -o lo -j ACCEPT
  iptables -A OUTPUT -p udp --dport nameserver -j ACCEPT
  iptables -A OUTPUT -p tcp --dport nameserver -j ACCEPT
  iptables -A OUTPUT -p tcp --dport smtp -j ACCEPT
  iptables -A OUTPUT -p icmp -j ACCEPT
  iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  
  echo "Exceptions for INPUT"
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -p tcp --dport ssh -j ACCEPT
  iptables -A INPUT -p tcp --dport smtp -j ACCEPT
  iptables -A INPUT -p tcp --dport pop3 -j ACCEPT
  iptables -A INPUT -p tcp --dport imap -j ACCEPT
  iptables -A INPUT -p tcp --dport http -j ACCEPT
  iptables -A INPUT -p icmp -j ACCEPT
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  
  echo "Logging"
  iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
--log-level "debug" --log-ip-options --log-tcp-options --log-prefix
'iptables INPUT DROP '
  iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j
ULOG --ulog-prefix 'iptables INPUT DROP '
  iptables -A OUTPUT -m limit --limit 3/second --limit-burst 5 -o ! lo -j
LOG --log-level "debug" --log-ip-options --log-tcp-options --log-prefix
'iptables OUTPUT DROP '

  echo "REJECT for outgoing packets"
  iptables -A OUTPUT -j REJECT # reject, don't DROP outgoing packets


-- 
Gioele <dev@xxxxxxxxxxxxxxxxxxx>