NetFilter connection tracking

To: debian-firewall@lists.debian.org
Cc: debian-security@lists.debian.org
Subject: NetFilter connection tracking
From: Olaf Meeuwissen <olaf@mm.0038.net>
Date: Mon, 18 Nov 2002 19:26:26 +0900
Message-id: <[🔎] E18Dj6x-0003Jp-00@qed.penguin.lib.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear .debs,

I've setup iptables on my woody box with a policy to drop.  After some
tinkering I'd punched holes for the things I wanted to do (note this is
a *client* machine).  Then I got into the wonders of setting up rules
for active and passive FTP.  It works now, but I am asking myself
whether I can simplify my rules for all those other protocols.

For example, to get web browsing going I have:

  # Allow HTTP connections initiated from here and replies back in, but
  # do NOT allow connection requests from servers on the outside in.
  #
  /sbin/iptables --append $O --protocol tcp               \
      --source      ${PPP_LOCAL} --source-port      1024: \
                                 --destination-port   80  \
      --jump ACCEPT
  /sbin/iptables --append $I --protocol tcp ! --syn       \
                                 --source-port        80  \
      --destination ${PPP_LOCAL} --destination-port 1024: \
      --jump ACCEPT

in my /etc/ppp/ip-up.d/1firewall script where $O and $I are the output
and input chains dedicated to the ppp device.

Now to get FTP going I added

  /sbin/iptables --append $O --match state        \
      --state ESTABLISHED,RELATED --jump ACCEPT
  /sbin/iptables --append $I --match state        \
      --state ESTABLISHED,RELATED --jump ACCEPT

I was thinking I could put these two rules near the top of my script,
remove the second HTTP rule and still have the same protection.  I
could also drop the counter part rules for all those other nice
protocols I would like to use (ssh, hkp, smtp, imap, ...).  It would
quite drastically simplify my script.  Question is, does it still give
me the same kind of protection?

OT: I noticed scans for an HTTP server and more (logging what I drop)
while I was connected via dial-up.  It's not safe out there!  But you
already knew that of course :-)

While I'm at it I might as well append my scripts for everyone to give
a once over.
- -- 
Olaf Meeuwissen
GnuPG key: 91114EAF/C3E1 2D40 C7CC AEB2 FB15  8BDF 60C2 5B3F 9111 4EAF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE92MBWYMJbP5ERTq8RAlSYAKCPd2AHg513RiAEqFr/0cZWbqukOwCgqc3b
vG4i5JsyZFoJ09420i3Ns7w=
=jrje
-----END PGP SIGNATURE-----

Attachment: /etc/ppp/ip-up.d/1firewall
Description: application/shellscript

Attachment: /etc/ppp/ip-down.d/1firewall
Description: application/shellscript

Reply to:

Follow-Ups:
- Re: NetFilter connection tracking
  - From: Dale Amon <amon@vnl.com>

Prev by Date: Re: please do not ...
Next by Date: Re[2]: VPN question
Previous by thread: Re: Odd iptstate entry
Next by thread: Re: NetFilter connection tracking
Index(es):
- Date
- Thread