I've tried reading many articles on the internet but none of them are quite clear. I also know similar question has been posted here before but none of them explain my situation. Earlier I ended up wasting 2-3 hours because of this.
Manual says:
NEW — meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and
ESTABLISHED — meaning that the packet is associated with a connection which has seen packets in both directions,
RELATED — meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.
My iptables on Server look like:
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
# Flush old rules
iptables -F
# Loopback
iptables -I INPUT 1 -i lo -j ACCEPT
# Allow responses from OUTPUT connection
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# Apache
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
Whenever I try curl --verbose https://server_ip/
from my PC, it works perfectly. But when I tried this from inside the server after SSHing into it, it always stuck at CLIENT HELLO
. Why it is happening? Note: curl --verbose http://server_ip/
(without SSL) worked perfectly from both local PC and server.
After I executed iptables -A INPUT -m state --state RELATED -j ACCEPT
, it started working from inside the server too. Again why it started working?
Manual says RELATED -- meaning that the packet is starting a new connection
. Is it a security risk? Can a client open a connection to a different port using this? When it is useful?
Best Answer
RELATED
is useful for that kind of protocols that need to open a new connection. It is often used, in combination withip_conntrack_ftp
for ftp connections, take a look here on how active ftp works.