Iptables state tracking

Posted by complexgeek on Server Fault See other posts from Server Fault or by complexgeek
Published on 2010-10-06T08:41:57Z Indexed on 2010/12/28 22:55 UTC
Read the original article Hit count: 129

Filed under:
|
|

Hi there.

I've just taken over administration of a fairly complex firewall ruleset for a firewall box running Fedora Core 12, and there's one thing about it that is puzzling me.

When I run nmap on the gateway from outside the network, I see all the expected services, but also sunrpc on port 111. The INPUT chain has DEFAULT DROP set, and there is no rule allowing port 111. As best I can tell (watching the packet counters before/during/after the scan) it's being allowed by the rule: "-m state --state RELATED,ESTABLISHED -j ACCEPT" but I don't understand why a brand new TCP connection would be considered RELATED or ESTABLISHED.

Any suggestions would be greatly appreciated.

EDIT:

Conntrack modules:

nf_conntrack_netlink    14925  0 
nfnetlink               3479  1 nf_conntrack_netlink
nf_conntrack_irc        5206  1 nf_nat_irc
nf_conntrack_proto_udplite     3138  0 
nf_conntrack_h323      62110  1 nf_nat_h323
nf_conntrack_proto_dccp     6878  0 
nf_conntrack_sip       16921  1 nf_nat_sip
nf_conntrack_proto_sctp    11131  0 
nf_conntrack_pptp      10673  1 nf_nat_pptp
nf_conntrack_sane       5458  0 
nf_conntrack_proto_gre     6574  1 nf_conntrack_pptp
nf_conntrack_amanda     2796  1 nf_nat_amanda
nf_conntrack_ftp       11741  1 nf_nat_ftp
nf_conntrack_tftp       4665  1 nf_nat_tftp
nf_conntrack_netbios_ns     1534  0 
nf_conntrack_ipv6      18504  2 
ipv6                  279399  40 ip6t_REJECT,nf_conntrack_ipv6

INPUT chain on the filter table:

-A INPUT -s 192.168.200.10/32 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -s 127.0.0.0/8 -i lo -j ACCEPT 
-A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT 
-A INPUT -d 192.168.200.5/32 -i eth0 -j ACCEPT 
-A INPUT -d 192.168.1.2/32 -i eth0 -j ACCEPT 
-A INPUT -d {public_ip}/32 -i ppp0 -p tcp -m multiport --dports 22,80,443 -j ACCEPT 
-A INPUT -d {public_ip}/32 -i ppp0 -p tcp -m multiport --sports 22,25,80,443 -j ACCEPT 
-A INPUT -d {public_ip}/32 -i ppp0 -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -d {public_ip}/32 -i ppp0 -p udp -m udp --sport 1194 -j ACCEPT 
-A INPUT -d {public_ip}/32 -i ppp0 -p udp -m multiport --sports 53,123 -j ACCEPT 
-A INPUT -d {public_ip}/32 -i ppp0 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -i eth0 -m state --state NEW -j ACCEPT 
-A INPUT -d {public_ip}/32 -m state --state NEW -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

eth0 is connected to the internal network, eth3 is connected to an ADSL modem in bridge mode, ppp0 is the WAN connection tunneled over eth3.

© Server Fault or respective owner

Related posts about linux

Related posts about iptables