[CLUE-Tech] iptables not allowing the ACCEPT target?
David Anselmi
anselmi at americanisp.net
Fri Nov 29 09:45:26 MST 2002
Jed S. Baer wrote:
> Hi Folks.
>
> Messing about with my firewall settings here, which might be just a little
> too tight. For example, not allowing an ftp data channel.
>
> My old setting, 1 line:
> -A INPUT -i ppp+ -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
[...]
> Seems I should be able to enter two rules in the input chain, and achieve
> the same thing, without creating another chain (I'm guessing the author
> created the 'block' chain so it could be called from both the INPUT and
> FORWARD chains).
>
> -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -i ppp+ -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
So to summarize your policy (i.e., what you want to happen) you are
protecting this one box only and you'd like it to be able to establish
connections to the Internet but not accept any, except for related
connections.
What is the policy on the INPUT chain? If it is DROP, you are probably
ok (and your second line is extraneous). If it is ACCEPT, your first
line is extraneous and you are allowing everything except new TCP
connections (e.g., UDP, ICMP).
Sadly the implementation of the state module doesn't seem to be
documented (well, I didn't look too hard and I don't have time to read
the source--which may be very well documented). So it's hard to say
what related means exactly, or what established means with UDP.
Why don't you just go with the example given? To apply it to the INPUT
chain only is still just 2 lines and using a DROP policy would seem to
fail more safely than ACCEPT.
Dave
More information about the clue-tech
mailing list