Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo Wiki - IPTables
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Xander314
n00b
n00b


Joined: 16 Apr 2012
Posts: 39

PostPosted: Tue Oct 01, 2013 5:41 pm    Post subject: Gentoo Wiki - IPTables Reply with quote

I wanted to set up a firewall before going to university, so I followed the Gentoo Wiki's IPTables article as a starting point. The default policy for INPUT is set to DROP. Then the following two rules are applied:
Code:

iptables -A INPUT -i eth0 -p tcp --sport 80 --syn -m conntrack --ctstate --state NEW                 -j ACCEPT
iptables -A INPUT                                 -m conntrack --ctstate --state ESTABLISHED,RELATED -j ACCEPT


I understand that the second line only allows packets associated with established connections, which I assume are established via outgoing connections.

I am not sure what the first line does. It appears to allow standard HTTP connections in, but I can browse the web just fine without it. As I understand it, when browsing the web, my browser creates an outgoing connection (which is allowed by default) and then the resulting returned connection is also allowed as it is related to the existing connection (state RELATED or ESTABLISHED). Given that, why is the first line necessary at all?
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 2208
Location: UK

PostPosted: Tue Oct 01, 2013 7:24 pm    Post subject: Reply with quote

The first line is an example rule for running a local webserver.
Back to top
View user's profile Send private message
Xander314
n00b
n00b


Joined: 16 Apr 2012
Posts: 39

PostPosted: Tue Oct 01, 2013 8:02 pm    Post subject: Reply with quote

Thanks for the info. I'll just use the other line then.
Back to top
View user's profile Send private message
olek
Apprentice
Apprentice


Joined: 22 Oct 2011
Posts: 161

PostPosted: Tue Oct 01, 2013 8:09 pm    Post subject: Reply with quote

I can really recommend one of Archs articles here:
https://wiki.archlinux.org/index.php/Simple_stateful_firewall
_________________
https://cosmofox.net/gen2
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8602

PostPosted: Tue Oct 01, 2013 9:01 pm    Post subject: Reply with quote

Ant P. wrote:
The first line is an example rule for running a local webserver.
It is worse than that. You would be correct if the author had used --dport, but since he used --sport, this means that any unsolicited connection with a source port of 80 is permitted. This may have been a very ill conceived attempt to permit web browsing, but it would be wrong even for that purpose.
Back to top
View user's profile Send private message
Xander314
n00b
n00b


Joined: 16 Apr 2012
Posts: 39

PostPosted: Wed Oct 02, 2013 12:08 am    Post subject: Reply with quote

Hu wrote:
Ant P. wrote:
The first line is an example rule for running a local webserver.
It is worse than that. You would be correct if the author had used --dport, but since he used --sport, this means that any unsolicited connection with a source port of 80 is permitted. This may have been a very ill conceived attempt to permit web browsing, but it would be wrong even for that purpose.

That is good to know. If the wiki article is unreliable, I'd like to check if the second line,
Code:
 iptables -A -m conntrack --ctstate --state ESTABLISHED,RELATED -j ACCEPT

is okay too - it looks okay to me but I'm new to this networking stuff. Is this rule the best (most secure) way of allowing web browsing?

olek wrote:
I can really recommend one of Archs articles here:
https://wiki.archlinux.org/index.php/Simple_stateful_firewall

Thanks - I'll read that in the morning when I'm less tired ;)
Back to top
View user's profile Send private message
olek
Apprentice
Apprentice


Joined: 22 Oct 2011
Posts: 161

PostPosted: Wed Oct 02, 2013 12:17 am    Post subject: Reply with quote

Yes,
Code:
iptables -A -m conntrack --ctstate --state ESTABLISHED,RELATED -j ACCEPT

is perfectly fine and considered the best way to go AFAIK.
_________________
https://cosmofox.net/gen2
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Wed Oct 02, 2013 12:25 am    Post subject: Reply with quote

Hu wrote:
it would be wrong

Yeah. I've fixed the wiki entry.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum