[ale] iptables issue
JK
jknapka at kneuro.net
Mon Jul 17 12:05:40 EDT 2006
Jason Lunz wrote:
> jimpop at yahoo.com said:
>
>>Jason Lunz wrote:
>>
>>>jimpop at yahoo.com said:
>>>
>>>>I have an issue wrt iptables. I use iptables to allow/deny access to a
>>>>website. The tables are intended to allow all in to port 80 at address
>>>>WW.XX.YY.ZZ, and all replies back out from port 80 on same address.
>>>>
>>>>The command line used to create the rules is this:
>>>>
>>>>iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http
>>>> -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>>>>iptables -A OUTPUT -p tcp -s WW.XX.YY.ZZ --sport http
>>>> -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>
>>>the second rule is superfluous. It's implied by the ESTABLISHED in the
>>>first rule.
>>
>>Are you sure of that? Every firewall example I've ever seen shows rules
>>for both directions.
>
>
> yes, I'm sure. This is what connection tracking does. The INPUT --dport
> http rule allows the connection to be established; after that, it's the
> kernel's job to keep track of which packets belong to the connection.
>
> The way you ask the conntrack module whether a packet is part of an
> established session is with "--state ESTABLISHED". It's intended to be
> used like this:
>
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http \
> -m state --state NEW -j ACCEPT
>
> In the above configuration, ONLY packets that are part of inbound port
> 80 tcp connections are allowed in or out.
Right, but he *does* still need a rule in the
OUTPUT chain to allow related or established
packets out. I don't believe there's any way
a rule in the INPUT chain would ever also
magically apply to the OUTPUT chain.
Cheers,
--JK
More information about the Ale
mailing list