Connection related/established with iptables

Connection related/established with iptables

Post by Warren Bel » Sat, 06 Oct 2001 08:32:59



I'm running iptables 1.2.2 on Redhat 7.1.  I have a default rule of DROP
for incomming packets and then allow what I want through.  Anything that
I initiate from my end that sends a return packet I need to make sure
that I specifically allow those packets through in my rules, like
connecting to an FTP site.

My question is, is it safe to set up a default rule to allow any
incoming packet that is related to what I'm sending out?  I just want to
make sure that iptables is secure in that sense so it wouldn't allow
anything in that wasn't related to what I was sending out.

A rule somthing like this:

   iptables -A INPUT -i $EXTERNAL_INTERFACE -p all -m state --state
RELATED,ESTABLISHED -j ACCEPT

 
 
 

Connection related/established with iptables

Post by Ian Jone » Sat, 06 Oct 2001 10:02:42


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> I'm running iptables 1.2.2 on Redhat 7.1.  I have a default rule of DROP
> for incomming packets and then allow what I want through.  Anything that
> I initiate from my end that sends a return packet I need to make sure
> that I specifically allow those packets through in my rules, like
> connecting to an FTP site.

> My question is, is it safe to set up a default rule to allow any
> incoming packet that is related to what I'm sending out?  I just want to
> make sure that iptables is secure in that sense so it wouldn't allow
> anything in that wasn't related to what I was sending out.

> A rule somthing like this:

>    iptables -A INPUT -i $EXTERNAL_INTERFACE -p all -m state --state
> RELATED,ESTABLISHED -j ACCEPT

Depending on connection tracking is safe, however you do need to understand
the difference between RELATED and ESTABLISHED. Depending on your needs you
may not need RELATED. I disallow RELATED on the firewall (INPUT, OUTPUT)
for most things but I do allow it for protected hosts (FORWARD).

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE7vQawwBVKl/Nci0oRAg1SAJ489fY80AtYMTdIi/c0bJTUmmeruQCcDmHc
B0yOpWtlMCd5GlMV4bth99Q=
=C0DN
-----END PGP SIGNATURE-----

 
 
 

Connection related/established with iptables

Post by Warren Bel » Sat, 06 Oct 2001 11:53:23



> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1


> > I'm running iptables 1.2.2 on Redhat 7.1.  I have a default rule of DROP
> > for incomming packets and then allow what I want through.  Anything that
> > I initiate from my end that sends a return packet I need to make sure
> > that I specifically allow those packets through in my rules, like
> > connecting to an FTP site.

> > My question is, is it safe to set up a default rule to allow any
> > incoming packet that is related to what I'm sending out?  I just want to
> > make sure that iptables is secure in that sense so it wouldn't allow
> > anything in that wasn't related to what I was sending out.

> > A rule somthing like this:

> >    iptables -A INPUT -i $EXTERNAL_INTERFACE -p all -m state --state
> > RELATED,ESTABLISHED -j ACCEPT

> Depending on connection tracking is safe, however you do need to understand
> the difference between RELATED and ESTABLISHED. Depending on your needs you
> may not need RELATED. I disallow RELATED on the firewall (INPUT, OUTPUT)
> for most things but I do allow it for protected hosts (FORWARD).

Two questions, what is connection tracking, and why would I need the
RELATED?  I always thought they went together so never thought about
just using one or the other.

Thanks

 
 
 

Connection related/established with iptables

Post by Ian Jone » Sat, 06 Oct 2001 13:16:32


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>> > I'm running iptables 1.2.2 on Redhat 7.1.  I have a default rule of
>> > DROP

>> > My question is, is it safe to set up a default rule to allow any
>> > incoming packet that is related to what I'm sending out?  I just want
>> > to make sure that iptables is secure in that sense so it wouldn't allow
>> > anything in that wasn't related to what I was sending out.

>> > A rule somthing like this:

>> >    iptables -A INPUT -i $EXTERNAL_INTERFACE -p all -m state --state
>> > RELATED,ESTABLISHED -j ACCEPT

>> Depending on connection tracking is safe, however you do need to
>> understand the difference between RELATED and ESTABLISHED. Depending on
>> your needs you may not need RELATED. I disallow RELATED on the firewall
>> (INPUT, OUTPUT) for most things but I do allow it for protected hosts
>> (FORWARD).

> Two questions, what is connection tracking, and why would I need the
> RELATED?  I always thought they went together so never thought about
> just using one or the other.

First question:
Connection tracking is happening all the time in netfilter capable kernels.
You may take advantage of it or you may ignore it, but it happens anyway.
The packet that starts a new connection is NEW. Responses to a NEW
connection and further data (both ways) are ESTABLISHED.
Connection tracking != packet filtering/mangling

Second:
RELATED is basically a new connection that is realted to an ESTABLISHED
one. One of the most common uses of RELATED is to allow ftp-data
connections based on the existing ftp control (port 21) connection.

Beware of blindly allowing RELATED in your OUTPUT chain. It can allow your
firewall to speak (error messages) when you think it should be silent. You
most likely want to allow RELATED in your FORWARD chain. Unless you work
from your firewall box you probably do not want to allow RELATED in your
INPUT chain.

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE7vTQdwBVKl/Nci0oRAuNlAKC8wVOseuw2GMU8DNQdqezHLttIcACgp8JK
1/qbiTNqNT7b6ZbDuZ54tH8=
=ufYQ
-----END PGP SIGNATURE-----

 
 
 

Connection related/established with iptables

Post by Warren Bel » Sat, 06 Oct 2001 14:45:33


[cut]

Quote:> > Two questions, what is connection tracking, and why would I need the
> > RELATED?  I always thought they went together so never thought about
> > just using one or the other.

> First question:
> Connection tracking is happening all the time in netfilter capable kernels.
> You may take advantage of it or you may ignore it, but it happens anyway.
> The packet that starts a new connection is NEW. Responses to a NEW
> connection and further data (both ways) are ESTABLISHED.
> Connection tracking != packet filtering/mangling

> Second:
> RELATED is basically a new connection that is realted to an ESTABLISHED
> one. One of the most common uses of RELATED is to allow ftp-data
> connections based on the existing ftp control (port 21) connection.

> Beware of blindly allowing RELATED in your OUTPUT chain. It can allow your
> firewall to speak (error messages) when you think it should be silent. You
> most likely want to allow RELATED in your FORWARD chain. Unless you work
> from your firewall box you probably do not want to allow RELATED in your
> INPUT chain.

Ok, thanks.  What I have is my Linux machine, running iptables,
connected to the net and masqurading a net connection for all my
machines on the network.  So sometimes I use the firewall machine to get
onto the net and sometimes one of the machines on the network.  I'm not
exactly sure what would be good for my setup, maybe you could let me
know what I should change if needed.

Here's the important parts of the firewall script:

   EXTERNAL_INTERFACE="ppp0"               # Internet connected
interface
   IN_EXTERNAL_INTERFACE="ppp1"            # Dial-up interface
   LOOPBACK_INTERFACE="lo"                 # or your local naming
convention
   LOCAL_INTERFACE_1="eth0"                # internal LAN interface
   LOCALNET_1="192.168.0.0/24"             # whatever private range you
use

   # Set the default policies
   # -----------------------------------

   iptables -P INPUT  DROP
   iptables -P OUTPUT ACCEPT
   iptables -P FORWARD DROP

# ---------------------------------------------------------------------
#                          LOCAL NETWORK STUFF
# ---------------------------------------------------------------------

   # Unlimited traffic on loopback interface.
   # -----------------------------------

   iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
   iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

   # Unlimited traffic within the local network.
   # All internal machines have access to the fireall machine.
   # -----------------------------------

   iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
   iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT

   # Masquerade internal traffic.
   # All internal traffic is masqueraded externally.
   # -----------------------------------

   iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -s $LOCALNET_1
-j MASQUERADE
   iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT

   #iptables -A POSTROUTING -t nat -o $IN_EXTERNAL_INTERFACE -s
$LOCALNET_1 -j MASQUERADE
   iptables -A FORWARD -i $IN_EXTERNAL_INTERFACE -s $LOCALNET_1 -j
ACCEPT

   # Rules to allow the reply packets to your
   # machines back in.
   # -----------------------------------

   iptables -A FORWARD -i $LOCAL_INTERFACE_1 -o $EXTERNAL_INTERFACE -m
state --state NEW -j ACCEPT
   iptables -A FORWARD -d $LOCALNET_1 -m state --state
RELATED,ESTABLISHED -j ACCEPT

   # And then the gerneral rule to let anything I initiated back in
   # -----------------------------------

   iptables -A INPUT -i $EXTERNAL_INTERFACE -p all -m state --state
RELATED,ESTABLISHED -j ACCEPT

 
 
 

Connection related/established with iptables

Post by Ian Jone » Sat, 06 Oct 2001 15:47:24


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>> > Two questions, what is connection tracking, and why would I need the
>> > RELATED?  I always thought they went together so never thought about
>> > just using one or the other.

>> Connection tracking != packet filtering/mangling

>> RELATED is basically a new connection that is realted to an ESTABLISHED
>> one. One of the most common uses of RELATED is to allow ftp-data
>> connections based on the existing ftp control (port 21) connection.

>> Beware of blindly allowing RELATED in your OUTPUT chain. It can allow
>> your firewall to speak (error messages) when you think it should be
>> silent. You most likely want to allow RELATED in your FORWARD chain.
>> Unless you work from your firewall box you probably do not want to allow
>> RELATED in your INPUT chain.

> Ok, thanks.  What I have is my Linux machine, running iptables,
> connected to the net and masqurading a net connection for all my
> machines on the network.  So sometimes I use the firewall machine to get
> onto the net and sometimes one of the machines on the network.  I'm not
> exactly sure what would be good for my setup, maybe you could let me
> know what I should change if needed.

<snip script>

Quote:>    iptables -A INPUT -i $EXTERNAL_INTERFACE -p all -m state --state
> RELATED,ESTABLISHED -j ACCEPT

Personally, I restrict what can be done on the firewall to the extent that
I download files to an internal host and then transfer them to the firewall
via ssh. I disallow all NEW connections. I don't allow RELATED in the INPUT
or OUTPUT chains. So far I have not been called a firewall nazi ;)

If you use the firewall as a workstation, you want to allow RELATED
connections for a number of things. Consider experimenting with more
restrictive and selective matching in your rules that employ RELATED (eg.
icmp type 3 code 3, interface, ttl, etc.).

Perhaps you might consider restricting what can be done on the firewall by
using the "uid" match. This is the basic firewall that I generally start
with:

#!/bin/bash

TCP_FORWARD="22,25,80,110,119,443,8080"
TCP_SERVICES="22"

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -p tcp -m multiport \
   --destination-port $TCP_SERVICES -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT
iptables -A INPUT -j QUEUE

iptables -P OUTPUT DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -m owner --uid-owner ian -j ACCEPT
iptables -A OUTPUT -j QUEUE

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -p tcp \
   -m multiport --destination-port $TCP_FORWARD -j ACCEPT
iptables -A FORWARD -j QUEUE

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE7vVdywBVKl/Nci0oRAgXLAJ4rQZ8iEs3GRcRRGahrC9ItB+59oACgvIYu
kqG4/Ouka8UZJT7Ho9NpSVA=
=/k5N
-----END PGP SIGNATURE-----

 
 
 

1. Iptables and connection related established

I'm running iptables 1.2.2 on Redhat 7.1.  I have a default rule of DROP
for incomming packets and then allow what I want through.  Anything that
I initiate from my end that sends a return packet I need to make sure
that I specifically allow those packets through in my rules, like
connecting to an FTP site.

My question is, is it safe to set up a default rule to allow any
incoming packet that is related to what I'm sending out?  I just want to
make sure that iptables is secure in that sense so it wouldn't allow
anything in that wasn't related to what I was sending out.

A rule somthing like this:

   iptables -A INPUT -i $EXTERNAL_INTERFACE -p all -m state --state
RELATED,ESTABLISHED -j ACCEPT

2. Printer Driver for the 690C+

3. iptables: ESTABLISHED,RELATED but some ACK or RST rejected

4. Pascal tools/source/info related to Linux

5. iptables restart, existing sessions, and ESTABLISHED,RELATED rules

6. Help on apache

7. iptables RELATED ESTABLISHED FIN/ACK problem

8. Linux/WindowsNT

9. udp not RELATED,ESTABLISHED with iptables?

10. iptables: difference btw. ESTABLISHED & RELATED

11. IPTables Established connection problem.

12. IPTABLES NAT forgetting ESTABLISHED connections too soon?

13. iptables woes - may be RELATED related :)