On Tue, 2009-08-25 at 08:44 -0600, Wade Preston Shearer wrote: > On 24 Aug 2009, at 23:29, Stuart Jansen wrote: > > > iptables -A INPUT -i lo -j ACCEPT > > Allows packets on the loopback interface, only, right?
Always allow packet from loopback. Or, as I like to put it, "Allow the machine to talk to itself." Only localhost can send packets out lo, but technically lo can have any IP, so filtering on interface name is better than filtering on IP. > > /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > I don't see the 'm' flag in the man file. What exactly is this > original option doing? What do related and established do? iptables has two types of rules: builtins and modules. The -m option option loads a module, adding additional functionality. For example the limit module can perform rate limiting. Without loading a module, iptables can only look at IP packet info. For example -p (protocol) or -s (source address). After loading the tcp module (-m tcp), iptables can also understand TCP packet info. For example --sport (source port) or --dport (destination port). Likewise, -m icmp makes it possible to perform a test like --icmp-message-type host-prohibited. There are two basic types of firewalls: stateless and stateful. The advantage of a stateless firewall is that is doesn't require much RAM. Unfortunately, it is also less secure. The advantage of a stateful firewall is that it can be more secure and faster, _if_ you write your rules carefully. In tradeoff, it requires RAM (but not much) and loses state if rebooted. A stateless firewall looks at each packet in isolation, unaware of the larger conversation taking place. This can be especially problematic with certain protocols, like FTP which uses random ports to transfer data. To make the firewall faster, some admins choose to filter only new connections. For example, filter TCP packets with just the SYN flag turned on, but allow all other through on the assumption that if the connection was already accepted it must be okay. This makes it easy for attackers to slip packets past in interesting ways. A stateful firewall uses RAM to keep track of how one packet relates to another, making it possible to right rules not just about individual packets but also the larger conversation. Like stateless firewalls, to speed things up many admins will focus on filtering only NEW packets creating connections, on the assumption that if the connection was already accept the rest of the packets must be okay. But instead of blindly trusting a packet that claims to be part of an ESTABLISHED connecion, Netfilter can actually double check. In addition, when dealing with a weird protocol like ftp, Netfilter can actually tell that a NEW connection on a random port is RELATED to an ESTABLISHED connection. A packet that is neither NEW, ESTABLISHED nor RELATED is INVALID. Putting a rule allowing ESTABLISHED and RELATED near the top of the list will make your firewall faster by allowing most packets to go through without evaluating the rest of the rules. > I appears that Stuart's is a better way to allow all the packets > through and Mr. Ritter's limits it to just icmp packets. Will I really > be okay only allowing those packets through? icmp packets are errors, > right? And since we are trying to limit returning packets, that should > be sufficient? You should have both my lo rule to avoid weird problems, and Ritter's ICMP rule to limit ping. After that, things get fuzzier. Some people believe strongly in filtering ICMP to within an inch of its life (and beyond). If you fall into that camp, my one suggestion is use names instead of numbers. In other words: iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/sec --limit-burst 5 -j ACCEPT Myself, I prefer to allow all ICMP through. So after the line rate limiting ping, I would add: iptables -A INPUT -p icmp -j ACCEPT Here's a little more discussion to inform your decision: http://lists.netfilter.org/pipermail/netfilter/2005-December/064199.html http://lists.netfilter.org/pipermail/netfilter/2005-December/064194.html BTW, the Linux firewall code is technically named Netfilter. The iptables command is used to modify Netfilter rules. Not only is this information useful for showing off at parties, it is also helpful in discover that http://netfilter.org is the ultimate source of Linux firewall documentation. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
