Contents: Packet Filters, Firewalls and Router ACLsParticular Examples


About this document

4. Advantages of Stateful Firewalls and Connection-Tracking

Usually, firewalls in which the rules take advantage of state-related features are to be preferred:

4.1. Simple Example

Suppose we wish to allow connections to our SSH and HTTP servers:

  $IPT -t filter -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  $IPT -t filter -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
      #
      # ...allow new connections to our servers;  also allow traffic inward on 
      #    already-established connections...

  $IPT -t filter -A OUTPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
      #
      # ...allow outward traffic on already-established connections...

4.2. Example: FTP Connection Tracking

Here we detail the IP Tables rules required on a desktop machine to connect to an FTP server and upload/download files — we make use of connection-tracking and state. Without use of state and connection-tracking our firewall would have to be very insecure for active FTP and hopeless for passive FTP

    modprobe ip_conntrack_ftp
        # ...ensure we have IPTables' special FTP-related abilities available...

    iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT  -p tcp --sport 21 -m state --state ESTABLISHED     -j ACCEPT
        #
        # ...allow ourselves to connect to the FTP port on the server and allow
        #    packets back from the server for this connection...

    #
    # Active FTP:
    #
    iptables -A INPUT  -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED         -j ACCEPT
        #
        # ...for active FTP the client sends a port number over the FTP channel 
        #    (using the PORT command);  the server then connects to the client/desktop
        #    on this port and sends data;  this connection is in the oppositve
        #    direction/sense as the original connection;  
        #
        #    N.B. "RELATED"
        #
        #    To allow active FTP without knowing the port number that has been 
        #    passed --- i.e., without a stateful firewall and connection tracking --- 
        #    we need a general rule which allows connections from port 20 on remote FTP
        #    FTP servers to high ports (port numbers > 1023) on our client/desktop. 
        #    This is simply too general to ever be secure and was the case with older,
        #    stateless packet-filters/firewalls (e.g., IP Chains)...

    #
    # Passive FTP:
    #
    iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT  -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED         -j ACCEPT
        #
        # ...for passive FTP the server issues a PORT command and the client/desktop 
        #    connects to the server on this port to upload/download files;  the
        #    connection is in same direction/sense as the original connection
        #       
        #    N.B. "RELATED"
        #       
        #    We have a connection between two arbitrary port numbers --- without
        #    knowledge of state and connection-tracking, our filewall would have
        #    to be hopelessly open and insecure...


...previousup (conts)next...