Setting Up A Iptables Stateful Firewall

Source: Internet
Author: User
Keywords iptables stateful firewall linux iptables stateful firewall set up iptables linux

Here I have to explain the state of the firewall (state)

For example, if you use ssh for remote access, your host and the remote host will communicate.
A static firewall will be handled like this:
Check the data packets coming into the machine and find that the source of the data is port 22. When the time is allowed, the data communicated with each other after connection is the same. Check every data and find that the data comes from port 22, allowing it to pass!
Simple Application Server
USD1.00 New User Coupon
* Only 3,000 coupons available.
* Each new user can only get one coupon(except users from distributors).
* The coupon is valid for 30 days from the date of receipt.

What if a stateful firewall is used?
When you connect to the remote host successfully, your host will record the connection, when there is data from the remote ssh server and then enter your machine
Check your connection status table and find that this data comes from an established connection, allowing this data packet to enter.

For the above two treatments, we obviously find that the static firewall is more rigid, while the stateful firewall is more intelligent!

Now let's explain the state
NEW: If your host sends a connection request to the remote machine, the packet status is NEW.
ESTABLISHED: When the connection is established, the communication data status between the remote host and your host is ESTABLISHED
RELATED: A service like ftp uses port 21 to transmit commands, and port 20 (port mode) or other ports (PASV mode) to transmit data. Send a command after establishing a connection on the existing 21 port, and use 20 to transmit the data, the state is RELATED

With the above knowledge, let's follow our step by step
First, let’s set the default rules
iptables -P INPUT DROP
In this way, your machine will discard all data entering your host

If you have a host only for personal desktop applications, then your host does not provide any services, then we prohibit other machines from sending any connection requests to your machine
iptables -A INPUT -m state --state NEW -j DROP

This rule discards all packets sent to your machine with the status NEW. In this way, other machines are not allowed to actively initiate a connection to your machine, but you can actively connect to other machines, but it is just a connection. The data after the connection is in the ESTABLISHED state, we add one more.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
All the connections have been established, or the data related to it is allowed to pass


Well, let's summarize the three sentences, because it is a good personal desktop host firewall.
iptables -P INPUT DROP
#iptables -A INPUT -m state --state NEW -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
We see that the second one is commented out, because that rule can be completely omitted, just let the default rule handle it.
Does it seem very simple? For personal desktop applications, just using the two sentences just now can make your hosts on the internet secure enough. And you visit the internet at will, but the outside cannot initiate a connection to your machine, which is really cool!
Of course, if your IE has a loophole, iptables is of no avail. This is not the scope of iptables.
We can see that stateful firewalls are more "smart" than static firewalls, and of course the rules are easier to set up.

If your host is a server, the next question is simple. Here suppose we have opened www and ftp services. Note that the pasv mode of ftp uses a dynamic port to transmit data, not port 20. For a stateful firewall, this is easy to do, even without knowing which ports are used by ftp in pasv mode, because your host will recognize that when ftp transfers files to other hosts, it recognizes that these data are RELATED

Add after
iptables -A INPUT -i ppp0 -p tcp -dport 21 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -dport 21 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp -dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -dport 80 -j ACCEPT
Okay, so far our work is complete, imitating the method of my last article, and finally a script with detailed comments

#!/bin/bash
#define const here
Accept_Ports="80 20 21" #Own service port that allows internet access

# init
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

# set default ruler here
iptables -P INPUT DROP

# Allow inner Network access
iptables -A INPUT -i !ppp0 -j ACCEPT

# set stated ruler here,this is the most important ruler
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# set ruler so that other can access service on your server
for Port in "$Accept_Ports"; do
iptables -A INPUT -i ppp0 -p udp --dport ${Port} -j ACCEPT
iptables -A INPUT -i ppp0 -p tpc --dport ${Port} -j ACCEPT
done

# the ruler can make you firewall betterd
iptables -A INPUT -i ppp0 -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i ppp0 -p udp -j REJECT --reject-with icmp-port-unreachable

Note:
Stateful firewalls need kernel support. Fortunately, most distributions support this feature

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.