IPTables Statefullness(-m state --state):
IPTables provide state fullness. The state full firewall is considered more secure than stateless firewall because of their connection tracking capability and their ability to determine whether or not the session is new,related, invalid or established. Based on this criteria we can create more powerfull rules.
State Module:
# rpm -ql iptables | grep -i conntrack
/lib/iptables/libipt_conntrack.so
/lib/iptables/libipt_conntrack.so
This is the module that makes IPTables to behave as statefull. It is applicable for all the protocols (TCP/UDP/ICMP)
The states are:
NEW (The First SYN traffic)
ESTABLISHED
RELATED(SESSION/STATE)
INVALID
When a user creates a TCP/UDP based session IPTables can follow the connection. Here IPTable will keep a track with SYN, ACK-SYN, ACK and labelled with NEW(for SYN), ESTABLISHED or RELATED (For all other subsequent connections).
Example:
Permit Host to Initialte the connection and deny other hosts from initiating traffic to our host.
# Default Policy to Drop All connection
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# State Rule
# iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
This will allow creating a NEW session (SYN) with outside and continue the ESTABLISHED connections(regardless of protocol(UDP/TCP))
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
After initiating a traffic to any other machine, the traffic will be permitted when it comes back.(regardles of protocol(UDP/TCP))
End Result:# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# State Rule
# iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
This will allow creating a NEW session (SYN) with outside and continue the ESTABLISHED connections(regardless of protocol(UDP/TCP))
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
After initiating a traffic to any other machine, the traffic will be permitted when it comes back.(regardles of protocol(UDP/TCP))
The host will be able to make all connections to out side(NEW & ESTABLISHED is allowed in OUTPUT chain).
All new connection coming to our system will be dropped(No NEW is defined in INPUT chain only ESTABLISED as well the default rule of DROP) only allows the ESTABLISHED connections(Initiated by our host)
The details of the connection tracking will be stored in
# cat /proc/net/ip_conntrack
This file contains the status of all the established connections in the system for all protocols. The number of packets that transmitted, The source and destination address, source and destination port etc.
No comments:
Post a Comment
tag ur valuable ideas below