[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables config

* Quoting Mathias Palm (Mathias.Palm@gmx.net):

> > 	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> Sorry, I dont get that. The manpage says:
> 
> ...ESTABLISHED meaning that the
> packet is associated with a  connection  which  has
> seen  packets  in both directions...
>                   ^^^^
> But if I initiate a connection, it shouldn't have seen packages in both
> directions, should it? What am I missing?

That's for the FORWARD-Chain. In the INPUT-Chain,
you only have one Direction, so it sees
syn,ack-package and treats the connection
as established.

> ...RELATED  meaning  that  the packet is starting a new connection,
> but is associated with an existing connection, such
> as an FTP data transfer, or an ICMP error...

That's where the protocoll-helpers come into
place. The keep track of what's happening at the
protocol-level and see, when a data-connection is
requested. That also makes them potentially
more vulnerable to exploits.

> How does iptables find out, that a newly initiated connection is related 
> to another existing one? By process number, by vicinity in time or
> something other? 

In the FTP-case it sees the PORT-command inside
the ftp-connection. With other connections it uses
some sort of heuristics. You could also say it
kind of guesses.

- Rolf


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: