Stateful firewalling for fun and profit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Without using stateful rules, a default DENY policy means that you must
have explicit rules to ACCEPT the return packets from locally initiated
stuff. This can be very hard to get right (if it is even possible to get
right).

IMO, the following stateful rules work well and simplify things a great
deal when using a default DENY policy.

iptables -P INPUT DENY
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Those above two rules are ALL YOU NEED to have a 'pretend I'm not here,
unless I've initiated the conversation' type setup. Everything just
works. This even takes care of ACCEPTing the ICMP 'need to fragment'
messages that are commonly -- improperly -- blocked by novice firewall
admins.

Now if you have local services that you want to allow connections to,
you create a rule for each service.

For example, these two rules would allow inbound SSH and HTTP.

iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

Finally, if you wish, you can create a logging rule to see what is
hitting the DENY policy.

iptables -A INPUT -m limit --limit 1/sec --limit-burst 10 -j LOG
--log-prefix 'INPUT-DENY: '


Dax Kelson
Guru Labs



-- 
Psyche-list mailing list
Psyche-list@redhat.com
https://listman.redhat.com/mailman/listinfo/psyche-list

[Index of Archives]     [Fedora General Discussion]     [Red Hat General Discussion]     [Centos]     [Kernel]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat 9]     [Gimp]     [Yosemite News]

  Powered by Linux