[ale] iptables issue

[JK]

Jason Lunz wrote:

> jimpop at yahoo.com said:
> 
>>Jason Lunz wrote:
>>
>>>jimpop at yahoo.com said:
>>>
>>>>I have an issue wrt iptables.  I use iptables to allow/deny access to a 
>>>>website.  The tables are intended to allow all in to port 80 at address 
>>>>WW.XX.YY.ZZ, and all replies back out from port 80 on same address.
>>>>
>>>>The command line used to create the rules is this:
>>>>
>>>>iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http
>>>>      -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>>>>iptables -A OUTPUT -p tcp -s WW.XX.YY.ZZ --sport http
>>>>      -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>
>>>the second rule is superfluous. It's implied by the ESTABLISHED in the
>>>first rule.
>>
>>Are you sure of that?  Every firewall example I've ever seen shows rules 
>>for both directions.
> 
> 
> yes, I'm sure. This is what connection tracking does. The INPUT --dport
> http rule allows the connection to be established; after that, it's the
> kernel's job to keep track of which packets belong to the connection.
> 
> The way you ask the conntrack module whether a packet is part of an
> established session is with "--state ESTABLISHED". It's intended to be
> used like this:
> 
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http \
> 	-m state --state NEW -j ACCEPT
> 
> In the above configuration, ONLY packets that are part of inbound port
> 80 tcp connections are allowed in or out.

Right, but he *does* still need a rule in the
OUTPUT chain to allow related or established
packets out.  I don't believe there's any way
a rule in the INPUT chain would ever also
magically apply to the OUTPUT chain.

Cheers,

--JK