newbie iptables question

Kernels & Hardware, configuring network, installing services

newbie iptables question

Postby niceflower » 2017-03-27 17:30

Hello, i have been using UFW for years and decided to switch to using iptables, however there is something i do not understand.
with UFW i used to enable, start on boot, then DROP all INCOMING and ALLOW a few OUTGOING rules.
on iptables, it seems that ACCEPT OUT and DROP INCOMING disables all network traffic, then after allowing a few INCOMING rules, i can establish traffic.

why is this difference between UFW and iptables regarding blocking INCOMING traffic?
is it safe to allow a "few" INCOMING traffic?
is there a way to drop all INCOMING traffic on iptables just like with UFW and still establish internet connectivity?
Posts: 1
Joined: 2017-03-27 17:22

Re: newbie iptables question

Postby Cefiar » 2017-03-27 20:17

UFW by default allows INCOMING established/related traffic. This is done using the 'conntrack' (connection tracking) module in the kernel, which you use within iptables via the 'state' rule selector.

This means if you allow outgoing traffic (needs to be marked to keep track of it), it can allow any corresponding incoming traffic that matches it back in, while not allowing other traffic.

Look for iptables explanations for "state RELATED,ESTABLISHED" rules. In UFW, they're usually in the ufw-before-input chain. There is also a matching "state NEW" that needs to be in the output chain somewhere (in UFW, ufw-track-output), otherwise the sessions won't be tracked.

Also, there's "state INVALID" which checks for packets that have invalid states (ie: due to bugs in OS's/Routers or more likely someone trying to actively bypass/probe your firewall). UFW puts those in the ufw-before-input chain, but they're also checked in a few other places to limit how much logging of them is done (so your logs don't get full).
Posts: 18
Joined: 2017-03-25 22:50

Return to System configuration

Who is online

Users browsing this forum: No registered users and 5 guests