Friday, October 30, 2009

Linux Securirty Notes 15: IPTables 4 :IPTables Statefullness

IPTables Statefullness(-m state --state):
    IPTables provide state fullness. The state full firewall is considered more secure than stateless firewall because of their connection tracking capability and their ability to determine whether or not the session is new,related, invalid or established. Based on this criteria we can create more powerfull rules.
State Module:
# rpm -ql iptables | grep -i conntrack


    This is the module that makes IPTables to behave as statefull. It is applicable for all the protocols (TCP/UDP/ICMP)
The states are:
NEW (The First SYN traffic)

    When a user creates a TCP/UDP based session IPTables can follow the connection. Here IPTable will keep a track with SYN, ACK-SYN, ACK and labelled with NEW(for SYN), ESTABLISHED or RELATED (For all other subsequent connections).

Permit Host to Initialte the connection and deny other hosts from initiating traffic to our host.
# Default Policy to Drop All connection
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP

# State Rule
# iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
    This will allow creating a NEW session (SYN) with outside and continue the ESTABLISHED  connections(regardless of protocol(UDP/TCP))
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
    After initiating a traffic to any other machine, the traffic will be permitted when it comes back.(regardles of protocol(UDP/TCP))
End Result:
The host will be able to make all connections to out side(NEW & ESTABLISHED is allowed in OUTPUT chain).
All new connection coming to our system will be dropped(No NEW is defined in INPUT chain only  ESTABLISED as well the default rule of DROP) only allows the ESTABLISHED connections(Initiated by our host)

The details of the connection tracking will be stored in
# cat /proc/net/ip_conntrack

    This file contains the status of all the established connections in the system for all protocols. The number of packets that transmitted, The
source and destination address, source and destination port etc.

No comments:

Post a Comment

tag ur valuable ideas below