Mark-Walter@xxxxxxxxxxx wrote:
Hi, I've have this in my firewall rule script and I'am unsure about DROP: # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP The first should allow tcp connections with syn,rst,ack and he should accept it. The second one describes already established connections with ACCEPT. But what happens in the third rule ? Does it mean iptables DROP every TCP connection in the case syn,rst,ack is not set and the connection is not established.
Yes and no. Yes, it will drop the rest of the tcp packets going through this chain ONLY. And no, because this is a user defined chain. Since it is a user defined, then one of the native chains filter INPUT, filter OUTPUT, etc. should have an exisiting rule, which sends SOME packets through it. Somewhere in your script you have a rule like this, but not necessary exactly the same: iptables -A INPUT -p tcp -s <one_ip> -d <second_ip> -j allowed In the example above only packets which match the source and destination IP's will be sent to the "allowed" chain. All other TCP packets will continue to travel the INPUT chain and will never have the opportunity to hit the 3rd rule of the "allowed" chain.
Does iptables storing all connection's with connection tracking to know which connection is established,related ? (2. rule)
Yes, iptables keeps track of the connections statuses. Check the content of /proc/net/ip_conntrack
Sorry, for these questions but I think it's fast answer for you.
