Re: Query: Stateful parameters Explicitly and Implicitly defined, which is it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

netfilter-owner@xxxxxxxxxxxxxxx wrote:

Dear experts,

If a rule has a state of NEW does it implicitly imply ESTABLISHED also?

Looking at examples on the web I see references to both.
For example to permit access to an internal Web server, which of the straw-man rules are correct? 

Implicit Established Example:
iptables -a FORWARD -i eth0 --dport 80 -m state --state NEW -j ACCEPT

Explicit Established Example:
iptables -a FORWARD -i eth0 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT 

both are, but both miss: '-p tcp'; and its '-A' not '-a'.
It depends what your other rules in the ruleset do.
if you have some like:
iptables -A FORWARD -m state --ESTABLISHED -j ACCEPT
the first of the 2 rules above will work out, though the second will also work, just has this redundant state descriptor (which does not matter all). 

To allow http traffic, without other rules:
iptables -A FORWARD -i eth0 -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -o eth0 -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
Similarly, I see reference to setting TCP flags as a control measure. Particularly for port scanning etc. However sticking with the Web server example, an internal Web Server should expect a client to initiate a connection (SYN flag) but the server itself should not do this. 

example strawman-rules of the stateless kind:
iptables -a FORWARD -i eth0 --dport 80 --tcp-flags SYN -j ACCEPT

iptables -a FORWARD -o eth1 --sport 80 --tcp-flags ACK -j ACCEPT
The thing is, what happens after the 3-way handshake? Incoming http requests will no longer have a SYN flag set! So is there some implicit knowledge that netfilter or other packet filters operate over?
Same as before, you need other rules to handle that. Usually I normalize TCP traffic, even before it hits the rules for the servers, but if i wouldn't do it globally, I'd rather write the rule like this: iptables -A FORWARD -i eth0 -m tcp --dport 80 --tcp-flags SYN -m state --state NEW -j ACCEPT 


regards,
Will.


hope it helps

regards

Mart

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux