Iptables state tracking

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by complexgeek on Server Fault See other posts from Server Fault or by complexgeek
Published on 2010-10-06T08:41:57Z Indexed on 2010/12/28 22:55 UTC
Read the original article Hit count: 124

Filed under:
|
|

Hi there.

I've just taken over administration of a fairly complex firewall ruleset for a firewall box running Fedora Core 12, and there's one thing about it that is puzzling me.

When I run nmap on the gateway from outside the network, I see all the expected services, but also sunrpc on port 111. The INPUT chain has DEFAULT DROP set, and there is no rule allowing port 111. As best I can tell (watching the packet counters before/during/after the scan) it's being allowed by the rule: "-m state --state RELATED,ESTABLISHED -j ACCEPT" but I don't understand why a brand new TCP connection would be considered RELATED or ESTABLISHED.

Any suggestions would be greatly appreciated.

EDIT:

Conntrack modules:

nf_conntrack_netlink    14925  0 
nfnetlink               3479  1 nf_conntrack_netlink
nf_conntrack_irc        5206  1 nf_nat_irc
nf_conntrack_proto_udplite     3138  0 
nf_conntrack_h323      62110  1 nf_nat_h323
nf_conntrack_proto_dccp     6878  0 
nf_conntrack_sip       16921  1 nf_nat_sip
nf_conntrack_proto_sctp    11131  0 
nf_conntrack_pptp      10673  1 nf_nat_pptp
nf_conntrack_sane       5458  0 
nf_conntrack_proto_gre     6574  1 nf_conntrack_pptp
nf_conntrack_amanda     2796  1 nf_nat_amanda
nf_conntrack_ftp       11741  1 nf_nat_ftp
nf_conntrack_tftp       4665  1 nf_nat_tftp
nf_conntrack_netbios_ns     1534  0 
nf_conntrack_ipv6      18504  2 
ipv6                  279399  40 ip6t_REJECT,nf_conntrack_ipv6

INPUT chain on the filter table:

-A INPUT -s 192.168.200.10/32 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -s 127.0.0.0/8 -i lo -j ACCEPT 
-A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT 
-A INPUT -d 192.168.200.5/32 -i eth0 -j ACCEPT 
-A INPUT -d 192.168.1.2/32 -i eth0 -j ACCEPT 
-A INPUT -d {public_ip}/32 -i ppp0 -p tcp -m multiport --dports 22,80,443 -j ACCEPT 
-A INPUT -d {public_ip}/32 -i ppp0 -p tcp -m multiport --sports 22,25,80,443 -j ACCEPT 
-A INPUT -d {public_ip}/32 -i ppp0 -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -d {public_ip}/32 -i ppp0 -p udp -m udp --sport 1194 -j ACCEPT 
-A INPUT -d {public_ip}/32 -i ppp0 -p udp -m multiport --sports 53,123 -j ACCEPT 
-A INPUT -d {public_ip}/32 -i ppp0 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -i eth0 -m state --state NEW -j ACCEPT 
-A INPUT -d {public_ip}/32 -m state --state NEW -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

eth0 is connected to the internal network, eth3 is connected to an ADSL modem in bridge mode, ppp0 is the WAN connection tunneled over eth3.

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about linux

Related posts about iptables

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle