iptables question: default DROP policy and TCP Three Way Handshake
My default policy for an iptables config I am working on is as follows:
I understand that in most cases, because the OUTPUT chain default policy is DROP, 2 rules are required so traffic can flow both ways (INPUT and OUTPUT) - basically, everything that is requires throughfare must be whitelisted.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
My question is regarding the TCP Three Way Handshake - currently the only rule I have for it is:
I believe I need an OUTPUT rule to allow the initial SYN packet out and also one to allow the final ACK packet. I was wondering if someone could help me to craft the most restrictive rules possible to allow this.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Here is what I have so far:
This is the conventional example I have seen:
Can I get away with just this? If not, why not?
iptables -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Is something like this possible in place of the above?
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
(not sure if I have the right flags - advice is welcome)
Thanks in advance.
iptables -A OUTPUT -p tcp -m tcp --tcp-flags SYN SYN -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT