- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: Iptables
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-15-2006 08:06 PM
04-15-2006 08:06 PM
0, iptables -P INPUT DROP
Case 1
------
I found no difference b/w two
1, iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -j DROP
and
2, iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP
Case 2
------
I found no difference b/w two
1, iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -j DROP
and
2, iptables -A INPUT ! --syn -j ACCEPT
iptables -A INPUT --syn -j DROP
Any Comment...Recommendations...Suggestions..Explanations will be highly appreciated
Regards
Maaz
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-15-2006 09:56 PM
04-15-2006 09:56 PM
Re: Iptables
Case 1,
The first statement permits persistent connections, which is needed for a session to maintain a connection.
To do it only on port 80 is not exactly standard.
Usually you permit persistent connections for the entire firewall which will apply on any ports that are open. Most port 80 applications will also need port 443 for example.
I think if you conduct testing from outside your firewall you will find the behavior in Case 1 and Case 2 is different. The sockets should be different.
do a netstat -an and after some testing and see what happens.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-15-2006 10:34 PM
04-15-2006 10:34 PM
Re: Iptables
for case1
---------
Say I m running web server on my linux machine, which is also connected to the Internet, now I want that only http trafic is allowd from the Internet, and else will be blocked, and *ALSO* I can browse/surf the Internet too. To acheive this target I have used both i.e 1 and 2 separately and both work fine.
Thats why I m asking that Is there any goog/strong diff b/w the two ? Or simply these(1&2) are simply two diff ways to acheive the target ?
for case2
---------
this is a simple linux workstation connected to the Internet via modem
No traffic from Internet will be allowed, but Internet Browsing, chatting etc will be allowed .. or simply outgoing trafic is allowed. To acheive this target I used both 1 and 2 Separately, and they both works for me
Thats why I m asking that Is there any goog/strong diff b/w the two ? Or simply these(1&2) are simply two diff ways to acheive the target ?
Regards
Maaz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-15-2006 11:38 PM
04-15-2006 11:38 PM
SolutionIn both cases, the first method seems better.
I'm thinking you may want a script that helps with this. It relies on come configuration tables to let you decide open ports both to the net and the lan/dmz and such.
Let me know if such a package will help. It generates iptables code.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2006 05:37 AM
04-16-2006 05:37 AM
Re: Iptables
Yes I m looking forward for such a PACKAGE
Regards
Maaz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2006 09:48 AM
04-16-2006 09:48 AM
Re: Iptables
http://www.hpux.ws/fireall.tar.gz
This may be a can of worms.
That tar far contains a firewall code generator.
It expects a configuration file at /etc/rc.config.d/firewall.update
You may nodify the location.
It expects other configuration files in /etc/iptables
It is highly flexible and can generate a fierwall based on any port setup you wish.
The variables are aptly named and ip lists are just that valid ip addresses that iptables can read.
It may be overengineered, but I'm prepared to answer questions on it.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com