topic Re: Iptables in Operating System - Linux

Iptables

Maaz — Sun, 16 Apr 2006 03:06:49 GMT

hello Dear GURUS

0, iptables -P INPUT DROP

Case 1
------
I found no difference b/w two

1, iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -j DROP
and
2, iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP

Case 2
------
I found no difference b/w two

1, iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -j DROP
and
2, iptables -A INPUT ! --syn -j ACCEPT
iptables -A INPUT --syn -j DROP

Any Comment...Recommendations...Suggestions..Explanations will be highly appreciated

Regards
Maaz

Re: Iptables

Steven E. Protter — Sun, 16 Apr 2006 04:56:32 GMT

Shalom Maaz,

Case 1,

The first statement permits persistent connections, which is needed for a session to maintain a connection.

To do it only on port 80 is not exactly standard.

Usually you permit persistent connections for the entire firewall which will apply on any ports that are open. Most port 80 applications will also need port 443 for example.

I think if you conduct testing from outside your firewall you will find the behavior in Case 1 and Case 2 is different. The sockets should be different.

do a netstat -an and after some testing and see what happens.

SEP

Re: Iptables

Maaz — Sun, 16 Apr 2006 05:34:37 GMT

I think I should elaborate more
for case1
---------
Say I m running web server on my linux machine, which is also connected to the Internet, now I want that only http trafic is allowd from the Internet, and else will be blocked, and *ALSO* I can browse/surf the Internet too. To acheive this target I have used both i.e 1 and 2 separately and both work fine.
Thats why I m asking that Is there any goog/strong diff b/w the two ? Or simply these(1&2) are simply two diff ways to acheive the target ?

for case2
---------
this is a simple linux workstation connected to the Internet via modem
No traffic from Internet will be allowed, but Internet Browsing, chatting etc will be allowed .. or simply outgoing trafic is allowed. To acheive this target I used both 1 and 2 Separately, and they both works for me
Thats why I m asking that Is there any goog/strong diff b/w the two ? Or simply these(1&2) are simply two diff ways to acheive the target ?

Regards
Maaz

Re: Iptables

Steven E. Protter — Sun, 16 Apr 2006 06:38:14 GMT

Shalom again Maaz,

In both cases, the first method seems better.

I'm thinking you may want a script that helps with this. It relies on come configuration tables to let you decide open ports both to the net and the lan/dmz and such.

Let me know if such a package will help. It generates iptables code.

SEP

Re: Iptables

Maaz — Sun, 16 Apr 2006 12:37:28 GMT

Thanks SEP for help
Yes I m looking forward for such a PACKAGE

Regards
Maaz

Re: Iptables

Steven E. Protter — Sun, 16 Apr 2006 16:48:51 GMT

Hi Maaz

http://www.hpux.ws/fireall.tar.gz

This may be a can of worms.

That tar far contains a firewall code generator.

It expects a configuration file at /etc/rc.config.d/firewall.update

You may nodify the location.

It expects other configuration files in /etc/iptables

It is highly flexible and can generate a fierwall based on any port setup you wish.

The variables are aptly named and ip lists are just that valid ip addresses that iptables can read.

It may be overengineered, but I'm prepared to answer questions on it.

SEP