iptables question

[Cootie]

I'm trying to setup and configure a server entirely with text only run mode 3 on a virtual machine so I can redo my current live server. I'm now trying to set up the firewall of the system using iptables. I've read up on it and came up with the following:

-clear all rules
#iptables -F

-set default policy rules
#iptables --policy INPUT DROP
#iptables --policy FORWARD DROP

-Allow loopback connections
#iptables -A INPUT -i lo -j ACCEPT

-append input rules
-Allow established connections
#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-Allow SSH default port
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT

-Allow HTTP port
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT

-save iptable rules
#service iptables save

Everything above worked for me but just out of interest I looked at my live server which was configured using a GUI. I ran iptables-save and it was pretty much the same but its port open lines read like this:

#iptables -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT

so finally my question is do I really need the "-m state --state NEW"? Wouldn't having that drop established connections on those ports? I'm just confused as to what exactly the NEW state is doing and would it make a difference if I didn't include it.

[Lazydog]

The answer to this question is YES. You should be using the '--state NEW' in your rules as this added that connection to the connection_tracking DB so that the rule with 'ESTABLISHED,RELATED' know that packets coming from the host on port x are allowed without reading all the rules every time a packet arrives.

NEW, ESTABLISHED, RELATED and INVALID are all use for connection tracking. and that is the proper way to configure your rules today.

[Cootie]

Ah so putting the --state NEW will use less system resorces, right? I'm assuming these established connections time out eventually.

So another quick question would that mean if I did
#iptables --policy OUTPUT DROP
all attempts to send out data would be drop unless the requested incoming connection was established with "--state NEW"? But without "--state NEW" the server would never be able to send out packets. Am I understanding this correctly?

[Lazydog]

Ah so putting the --state NEW will use less system resorces, right? I'm assuming these established connections time out eventually.

Not nessaraly. Just faster. A lookup is a lookup.

So another quick question would that mean if I did
#iptables --policy OUTPUT DROP
all attempts to send out data would be drop unless the requested incoming connection was established with "--state NEW"? But without "--state NEW" the server would never be able to send out packets. Am I understanding this correctly?

NEW and ESTABLISHED,RELATED rules work hand in hand. If you set the policy to DROP and don't have an output ESTABLISHED,RELATED rule set all communication will stop as all outgoing packets will be dropped.

It doesn't work just because you have a NEW rule. You need a counter ESTABLISHED,RELATED rule also for both directions. Once a connection have been started and the handshake completed the NEW rule no longer applies.

Here is some reading for you IPTABLES TUTORIAL

[Cootie]

Ah I think understand now. Thanks a lot.

It would seem because I did
#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

I would need
#iptables -A OUTPUT -m state --state NEW -j ACCEPT
to work with it, but I guess it just assumes that if it is left unspecified.

[Lazydog]

OUTPUT NEW would place the connection into the connecting tracking DB and thus allow INPUT ESTABLISHED,RELASTED to allow the connection to pass without checking any other rules.