HPE Community
Operating System - Linux
1828370 Members
3081 Online
109976 Solutions
New Discussion

Re: Iptables

 
SOLVED
Go to solution
Maaz
Valued Contributor

‎04-15-2006 08:06 PM

‎04-15-2006 08:06 PM

Iptables

hello Dear GURUS

0, iptables -P INPUT DROP

Case 1
------
I found no difference b/w two

1, iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -j DROP
and
2, iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP


Case 2
------
I found no difference b/w two

1, iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -j DROP
and
2, iptables -A INPUT ! --syn -j ACCEPT
iptables -A INPUT --syn -j DROP

Any Comment...Recommendations...Suggestions..Explanations will be highly appreciated

Regards
Maaz
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎04-15-2006 09:56 PM

‎04-15-2006 09:56 PM

Re: Iptables

Shalom Maaz,

Case 1,

The first statement permits persistent connections, which is needed for a session to maintain a connection.

To do it only on port 80 is not exactly standard.

Usually you permit persistent connections for the entire firewall which will apply on any ports that are open. Most port 80 applications will also need port 443 for example.

I think if you conduct testing from outside your firewall you will find the behavior in Case 1 and Case 2 is different. The sockets should be different.

do a netstat -an and after some testing and see what happens.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Maaz
Valued Contributor

‎04-15-2006 10:34 PM

‎04-15-2006 10:34 PM

Re: Iptables

I think I should elaborate more
for case1
---------
Say I m running web server on my linux machine, which is also connected to the Internet, now I want that only http trafic is allowd from the Internet, and else will be blocked, and *ALSO* I can browse/surf the Internet too. To acheive this target I have used both i.e 1 and 2 separately and both work fine.
Thats why I m asking that Is there any goog/strong diff b/w the two ? Or simply these(1&2) are simply two diff ways to acheive the target ?

for case2
---------
this is a simple linux workstation connected to the Internet via modem
No traffic from Internet will be allowed, but Internet Browsing, chatting etc will be allowed .. or simply outgoing trafic is allowed. To acheive this target I used both 1 and 2 Separately, and they both works for me
Thats why I m asking that Is there any goog/strong diff b/w the two ? Or simply these(1&2) are simply two diff ways to acheive the target ?

Regards
Maaz
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎04-15-2006 11:38 PM

‎04-15-2006 11:38 PM

Solution

Re: Iptables

Shalom again Maaz,

In both cases, the first method seems better.

I'm thinking you may want a script that helps with this. It relies on come configuration tables to let you decide open ports both to the net and the lan/dmz and such.

Let me know if such a package will help. It generates iptables code.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Maaz
Valued Contributor

‎04-16-2006 05:37 AM

‎04-16-2006 05:37 AM

Re: Iptables

Thanks SEP for help
Yes I m looking forward for such a PACKAGE

Regards
Maaz
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎04-16-2006 09:48 AM

‎04-16-2006 09:48 AM

Re: Iptables

Hi Maaz

http://www.hpux.ws/fireall.tar.gz

This may be a can of worms.

That tar far contains a firewall code generator.

It expects a configuration file at /etc/rc.config.d/firewall.update

You may nodify the location.

It expects other configuration files in /etc/iptables

It is highly flexible and can generate a fierwall based on any port setup you wish.

The variables are aptly named and ip lists are just that valid ip addresses that iptables can read.

It may be overengineered, but I'm prepared to answer questions on it.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.