As I understand, only traffic that has been recognized as 'related' (such as an FTP data conn that the FTP 'helper' determined is related to the command connection) will be marked as RELATED. Remember that a RELATED packet is the NEW packet of a related connection. Also remember that once you accept a NEW or RELATED packet, all other packets will be ESTABLISHED. You cannot determine if a conn was originally RELATED to another unless you explicitly mark it (using CONNMARK); and I believe you cannot ever determine which rule caused a 'new' packet to be marked RELATED.
First, you accept all packets marked RELATED or ESTABLISHED (assuming this rule is in INPUT). Next, you accept all other *arriving* packets destined to port 80; this includes NEW, and INVALID. If you previously added any rules that cause port 80 packets to be processed RAW, they will also be accepted.
So far, you've addressed INPUT. You also need to address outbound packets (in chain OUTPUT).
Generally speaking, the order of processing should be:
- DROP all INVALID packets since netfilter cannot determine where they should be sent.
- DROP all packets you already know should not be routed or received, such as
blacklisted IPs and TEST NET addrs.
- RESET ESTABLISHED TCP conns--in *each* direction as packets arrive--that should be
terminated (such as those that are active outside allowed time frames).
- REJECT--with admin prohibited--all other RELATED or ESTABLISHED packets for conns
that should be terminated (such as those that are active outside allowed time frames).
- ACCEPT packets for ESTABLISHED conns and the RELATED packets of new, related conns.
- (At this point, only NEW packets can remain, unless you specify some packets to be
handled RAW, which typically isn't likely. So you don't need to test if a packet is NEW
after this point.)
- ACCEPT packets for new conns that you want to accept. All remaining packets for such conns
will be marked ESTABLISHED.
- REJECT or DROP all other new conns.
N
On Mon, 15 Oct 2018 17:55:42 +0200
Stefanie Leisestreichler <stefanie.leisestreichler@xxxxxxxxxxxxxx> wrote:
> Hi.
>
> I have I a general question about module conntrack.
>
> Assumed I have a firewall rule allowing all -m conntrack --ctstate
> RELATED,ESTABLISHED packets.
>
> Also assumed I have another firewall rule with a simple definition like
> -A INPUT -p tcp --dport 80 -J ACCEPT
> with no -m conntrack --ctstate NEW -j ACCEPT.
>
> Will the traffic which wants to go to port 80 be identified as RELATED,
> even I did not use -m conntrack --ctstate NEW in my rule allow to talk
> to port 80?
>
> Or will the traffic be rejected since the NEW package was not handled by
> -m conntrack initially?
>
> Thanks
> Stefanie
