[ale] iptables issue

Jason Lunz lunz at falooley.org
Mon Jul 17 11:39:52 EDT 2006 

jimpop at yahoo.com said:
> Jason Lunz wrote:
>> jimpop at yahoo.com said:
>>> I have an issue wrt iptables.  I use iptables to allow/deny access to a 
>>> website.  The tables are intended to allow all in to port 80 at address 
>>> WW.XX.YY.ZZ, and all replies back out from port 80 on same address.
>>>
>>> The command line used to create the rules is this:
>>>
>>> iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http
>>>       -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>>> iptables -A OUTPUT -p tcp -s WW.XX.YY.ZZ --sport http
>>>       -m state --state RELATED,ESTABLISHED -j ACCEPT
>> 
>> the second rule is superfluous. It's implied by the ESTABLISHED in the
>> first rule.
>
> Are you sure of that?  Every firewall example I've ever seen shows rules 
> for both directions.

yes, I'm sure. This is what connection tracking does. The INPUT --dport
http rule allows the connection to be established; after that, it's the
kernel's job to keep track of which packets belong to the connection.

The way you ask the conntrack module whether a packet is part of an
established session is with "--state ESTABLISHED". It's intended to be
used like this:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http \
	-m state --state NEW -j ACCEPT

In the above configuration, ONLY packets that are part of inbound port
80 tcp connections are allowed in or out.

The alternative is not to use connection tracking; this is called
stateless firewalling. The corresponding stateless configuration is like
this:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http -j ACCEPT
iptables -A OUTPUT -p tcp -s WW.XX.YY.ZZ --sport http -j ACCEPT

Your example is mixing stateful and stateless firewalling, so it doesn't
really make any sense. The advantage of stateful firewalling is that
it's more precise; the disadvantage is that it's slower. But there's no
reason I can think of to do both.

> OUTPUT BLOCKED: IN= OUT=eth1 SRC=WW.XX.YY.ZZ DST=AA.BB.CC.DD LEN=255 
> TOS=0x00 PREC=0x00 TTL=64 ID=52863 DF PROTO=TCP SPT=80 DPT=4091 
> WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0

This is a packet from the webserver to a client sent as part of a
connection shutdown. I'd guess it was logged because the conntrack
module already considered the connection ended, and your OUTPUT chain
abvoe only accepts packets from established connections. It's harmless;
these kinds of things can result, for example, from the conntrack code
having different connection timeouts than the actual tcp stacks
involved.

Jason

More information about the Ale mailing list