[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables rules : two in one



Franck Joncourt a écrit :
Andrey Kozlov wrote:

with use connection tracking you can define common rules for ongoing
traffic on top of you rule set:

iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

and then add specific rules for any required services, e.g.:

iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
      -d pop.mail.yahoo.co.uk --dport 110 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
      -d pop.1and1.fr --dport 110 -m state --state NEW -j ACCEPT


So it means, I accept both 'established' and 'related' connections
from/to any ports.

Not only any ports but also any protocol, including DNS replies, ICMP replies and error notifications... without the need to explicitly allow each of them. That's why most stateful filtering setups use these kind of rules. I use a slightly modified version of these rules myself (there are some RELATED ICMP types I don't want to accept).

Then, I allow 'new' connections to port 110 (for
pop.1and1.fr and pop.mail.yahoo.co.uk).

Yes. So instead of setting up rules for original and return trafic, you just need to set up one rule for the original traffic.

In the end, 'established' or 'related' connections from/to port 4895,
for instance, will be accept, as well.

Only after they have been first accepted as NEW.

Unless I am wrong, it is not really interesting in the case I have got a
mistake in my firewall, and accept 'new' connections from/to port 4895.
I allow more than I should without any reason.

Why would you have a mistake in your firewall and accept explicitly traffic that you don't actually want to accept ?



Reply to: