Usually, firewalls in which the rules take advantage of state-related features are to be preferred:
Suppose we wish to allow connections to our SSH and HTTP servers:
$IPT -t filter -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -t filter -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT # # ...allow new connections to our servers; also allow traffic inward on # already-established connections... $IPT -t filter -A OUTPUT -p tcp -m state --state ESTABLISHED -j ACCEPT # # ...allow outward traffic on already-established connections...
Here we detail the IP Tables rules required on a desktop machine to connect to an FTP server and upload/download files — we make use of connection-tracking and state. Without use of state and connection-tracking our firewall would have to be very insecure for active FTP and hopeless for passive FTP
modprobe ip_conntrack_ftp # ...ensure we have IPTables' special FTP-related abilities available... iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT # # ...allow ourselves to connect to the FTP port on the server and allow # packets back from the server for this connection... # # Active FTP: # iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # # ...for active FTP the client sends a port number over the FTP channel # (using the PORT command); the server then connects to the client/desktop # on this port and sends data; this connection is in the oppositve # direction/sense as the original connection; # # N.B. "RELATED" # # To allow active FTP without knowing the port number that has been # passed --- i.e., without a stateful firewall and connection tracking --- # we need a general rule which allows connections from port 20 on remote FTP # FTP servers to high ports (port numbers > 1023) on our client/desktop. # This is simply too general to ever be secure and was the case with older, # stateless packet-filters/firewalls (e.g., IP Chains)... # # Passive FTP: # iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT # # ...for passive FTP the server issues a PORT command and the client/desktop # connects to the server on this port to upload/download files; the # connection is in same direction/sense as the original connection # # N.B. "RELATED" # # We have a connection between two arbitrary port numbers --- without # knowledge of state and connection-tracking, our filewall would have # to be hopelessly open and insecure...
...previous | up (conts) | next... |