Linux – Firewall questions about state and policy

iptableslinuxrules

I finally managed to install my VM host and now I am messing with iptables to create, test and learn.

Does it matter if i put the below
rules at the begin or at the end of
my rules ?
```
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
```
i have tested and there was no difference but i would like to confirm.

Answer I choose so far:
It is a good idea to apply your policies as early as possible. Put them at the start. DROP rules on internal traffic can cause problems.
Having the below rule would be considered as a fault on the firewall ?
```
$IPT -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
```
Without this rule i would need to add for example an OUTPUT rule for my ssh connection, example:
```
$IPT -A OUTPUT -p tcp --sport 2013 -j ACCEPT
```
Answer:
After more tests and talks with people on #iptables@freenode, i came to the conclusion that using -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT for INPUT and OUPUT is a fine approch and will help you deal with lots of things like for example the FTP and is a fine approch because unless you have that given port open and being accept there will be no malicious connection on it.

Here is a normal example without using the above:
```
$IPT -A INPUT -p tcp --dport 20:21 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
```
Now here is how the rule looks like using the above:
```
$IPT -A INPUT -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
```
That's all you need because once the connection is ESTABLISHED, the output will follow-up right away and you won't need to make rules for the ftp-data port.
What are bad things of having the below rule, could you give some example as to why not have it and instead just define anything you may need to use ?
```
$IPT -P OUTPUT ACCEPT
```
Answer I choose so far:
This policy rule allows all outgoing traffic. As a policy, allowing everything is obviously less secure than allowing only explicit kinds of traffic. So if security is your utmost priority, you'll want to set a DROP policy on the output chain instead. Just be aware that you'll then have to include a number of rules to allow outgoing traffic to a possibly large number of mundane things, such as: DNS, SMTP, IMAP, POP3, HTTP, HTTPS, etc.
What is the difference between conntrack and state in the below context ?

state example:
```
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
```
conntrack example:
```
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
```
Answer:
After some research talks with people on #iptables@freenode i came to the conclusion i should be using conntrack from here on.

Technically the conntrack match
supersedes – and so obsoletes – the
state match. But practically the
state match is not obsoleted in any
way.

I would aswell appreciate good online iptables reading materials.

Links recommended so far:

Perfect Ruleset

The Linux Documentation Project

Best Answer

It is a good idea to apply your policies as early as possible. Put them at the start. DROP rules on internal traffic can cause problems.
This rule would be consideref a fault, as it implements and ACCEPT policy. Adding an accept rule per service is the correct way to build your firewall.
An accept policy indicates you are running a mostly open policy. (We locked the front door locked, but you can use any other door to get in.) Best policy is a mostly closed policy. We keep all door and windows locked, and only unlock the ones we need.
It would appear there is no difference, although all the rules I have seen use state. The conctrack module will monitor the state. Use this rule with the port accept rule in question 2 to enable services.

You may want to look at the Shorewall documentation to see what can be done with iptables. I use it to build a firewall on all my Linux instances (including OpenWRT). It has well documented sample (default/base) configurations for servers with 1, 2 or 3 interfaces.

The Linux Documentation Project also has documentation.

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn't suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

Linux – Understanding connection tracking in iptables

The first question is what is conntrack. This is the website for conntrack-tools. With that in mind what does state do?

The State Match

The most useful match criterion is supplied by the state' extension, which interprets the connection-tracking analysis of theip_conntrack' module. This is highly recommended.

Specifying -m state' allows an additional--state' option, which is a comma-separated list of states to match (the `!' flag indicates not to match those states). These states are:

NEW A packet which creates a new connection.

ESTABLISHED A packet which belongs to an existing connection (i.e., a reply packet, or outgoing packet on a connection which has seen replies).

RELATED A packet which is related to, but not part of, an existing connection, such as an ICMP error, or (with the FTP module inserted), a packet establishing an ftp data connection.

INVALID A packet which could not be identified for some reason: this includes running out of memory and ICMP errors which don't correspond to any known connection. Generally these packets should be dropped.

An example of this powerful match extension would be:

# iptables -A FORWARD -i ppp0 -m state ! --state NEW -j DROP

Firewall questions about state and policy?

So, to answer the question, conntrack is for use with the conntrack toolkit and supersedes state in this regard. It is better than state if you are planning on using the conntrack tool kit.

Connection tracking is on for traffic flows, it constantly tries to match flows to rules.

The answer that follows for question 2 is, yes, use conntrack

To answer question 3, which case? The answer for state is in the definition above.

The answer to 4 is, conntrack is for use with the conntrack toolkit, and state, for not using the toolkit. Yes, you can use conntrack at no penalty over using state with your example.

Links recommended so far:

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Linux – Understanding connection tracking in iptables

Related Topic