Iptables allow http incoming connections, state NEW, ESTABLISHED

iptables

Could somebody explain me, why it works:

administrador@ubuntu:~$ sudo iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source       destination         
ACCEPT     tcp  --  anywhere     anywhere            tcp dpt:www state NEW,ESTABLISHED 
REJECT     all  --  anywhere     anywhere            reject-with icmp-port-unreachable

and this doesn't:

administrador@ubuntu:~$ sudo iptables -L INPUT
target     prot opt source       destination         
ACCEPT     tcp  --  anywhere     anywhere            tcp dpt:www 
REJECT     all  --  anywhere     anywhere            reject-with icmp-port-unreachable

I'd rather say that second rule is more restricted. firewall has to check state of every packet, so why when I want to check web server availability, second option doesn't work? I mean machine can't connect with server.

Best Answer

The former rule employs connection tracking, the latter does not. The connection tracking entries are needed for the reply packets to get through. When the connection tracking system allows a packet in that establishes a connection or logical association, an automatic, temporary reflexive rule is created to allow the reply packets out.

Related Topic