Joe Tseng wrote:
I recall seeing an example rule where the person allowed all established
connections; it went something like this:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Is this a safe generic rule to have? Or is it better for me to state
every case explicitly?
That allows traffic with any established connexion to pass. Any traffic
not associated with an existing traffic will not be permitted by that
rule, so it does not permit any new sessions to start.
For that to occur, you need rules to explicitly allow connexions to
specific services ahead of any rule (including policy) that denies them.
It clarify, here are some lines from my /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
The first allows existing sessions to continue.
Then I explicitly allow connexions to three services.
Finally, I deny all not explicitly allowed. On a firewall, I'd likely
DROP rather than REJECT as the former causes unwelcome visitors to wait
for a timeout.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
Please do not reply off-list
