Re: state ESTABLISHED, RELATED

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2009-07-15 at 23:25 +0300, Andrew Kolt wrote:
> As a temp solution i added the following to the INPUT chain, in order to 
> let those replies in:
> 
> -A INPUT -i eth0 -p tcp -s 0/0 -d zzz.zzz.zzz.zzz -m state --state 
> ESTABLISHED,RELATED -j ACCEPT
> 
> Everything works well now, but i'd like to know if there's any other way 
> to go about this and if the line above is "good" practice as far
> as security goes.

Hi Andrew!

In my opinion it is good practice. We have been using such a rule for
some time. In our set of iptables rules we have these in the beginning:

#------------------------------------------------------------------
# Drop invalid packets, unrelated to any connection
iptables -t filter -A INPUT -m state --state INVALID -j DROP

# Block and log several types of network scans that use malformed packets
# FIN / URG / PSH
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute \
  -j LOG --log-level notice --log-prefix "NMAP-XMAS:"
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

# SYN / RST
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute \
  -j LOG --log-level notice --log-prefix "SYN/RST:"
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# SYN / FIN -- scan (probably)
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute \
  -j LOG --log-level notice --log-prefix "SYN/FIN:"
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Accept packets related to previously established connections
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept locally generated packets unconditionally
iptables -t filter -A INPUT -i lo -j ACCEPT
#------------------------------------------------------------------

The same rules can also be applied to FORWARD chain.

Regards,
Simion.


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux