Re: iptables generic INPUT rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Joe Tseng wrote:
I recall seeing an example rule where the person allowed all established connections; it went something like this:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Is this a safe generic rule to have? Or is it better for me to state every case explicitly?

That allows traffic with any established connexion to pass. Any traffic not associated with an existing traffic will not be permitted by that rule, so it does not permit any new sessions to start.

For that to occur, you need rules to explicitly allow connexions to specific services ahead of any rule (including policy) that denies them.


It clarify, here are some lines from my /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

The first allows existing sessions to continue.
Then I explicitly allow connexions to three services.
Finally, I deny all not explicitly allowed. On a firewall, I'd likely DROP rather than REJECT as the former causes unwelcome visitors to wait for a timeout.





--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

Please do not reply off-list


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux