View previous topic :: View next topic |
Author |
Message |
Xander314 n00b
Joined: 16 Apr 2012 Posts: 61
|
Posted: Tue Oct 01, 2013 5:41 pm Post subject: Gentoo Wiki - IPTables |
|
|
I wanted to set up a firewall before going to university, so I followed the Gentoo Wiki's IPTables article as a starting point. The default policy for INPUT is set to DROP. Then the following two rules are applied:
Code: |
iptables -A INPUT -i eth0 -p tcp --sport 80 --syn -m conntrack --ctstate --state NEW -j ACCEPT
iptables -A INPUT -m conntrack --ctstate --state ESTABLISHED,RELATED -j ACCEPT
|
I understand that the second line only allows packets associated with established connections, which I assume are established via outgoing connections.
I am not sure what the first line does. It appears to allow standard HTTP connections in, but I can browse the web just fine without it. As I understand it, when browsing the web, my browser creates an outgoing connection (which is allowed by default) and then the resulting returned connection is also allowed as it is related to the existing connection (state RELATED or ESTABLISHED). Given that, why is the first line necessary at all? |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue Oct 01, 2013 7:24 pm Post subject: |
|
|
The first line is an example rule for running a local webserver. |
|
Back to top |
|
|
Xander314 n00b
Joined: 16 Apr 2012 Posts: 61
|
Posted: Tue Oct 01, 2013 8:02 pm Post subject: |
|
|
Thanks for the info. I'll just use the other line then. |
|
Back to top |
|
|
olek Apprentice
Joined: 22 Oct 2011 Posts: 173
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Tue Oct 01, 2013 9:01 pm Post subject: |
|
|
Ant P. wrote: | The first line is an example rule for running a local webserver. | It is worse than that. You would be correct if the author had used --dport, but since he used --sport, this means that any unsolicited connection with a source port of 80 is permitted. This may have been a very ill conceived attempt to permit web browsing, but it would be wrong even for that purpose. |
|
Back to top |
|
|
Xander314 n00b
Joined: 16 Apr 2012 Posts: 61
|
Posted: Wed Oct 02, 2013 12:08 am Post subject: |
|
|
Hu wrote: | Ant P. wrote: | The first line is an example rule for running a local webserver. | It is worse than that. You would be correct if the author had used --dport, but since he used --sport, this means that any unsolicited connection with a source port of 80 is permitted. This may have been a very ill conceived attempt to permit web browsing, but it would be wrong even for that purpose. |
That is good to know. If the wiki article is unreliable, I'd like to check if the second line,
Code: | iptables -A -m conntrack --ctstate --state ESTABLISHED,RELATED -j ACCEPT
|
is okay too - it looks okay to me but I'm new to this networking stuff. Is this rule the best (most secure) way of allowing web browsing?
Thanks - I'll read that in the morning when I'm less tired |
|
Back to top |
|
|
olek Apprentice
Joined: 22 Oct 2011 Posts: 173
|
Posted: Wed Oct 02, 2013 12:17 am Post subject: |
|
|
Yes,
Code: | iptables -A -m conntrack --ctstate --state ESTABLISHED,RELATED -j ACCEPT |
is perfectly fine and considered the best way to go AFAIK. _________________ https://plaintext.blog |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Wed Oct 02, 2013 12:25 am Post subject: |
|
|
Hu wrote: | it would be wrong |
Yeah. I've fixed the wiki entry. |
|
Back to top |
|
|
|