Hello, i have been using UFW for years and decided to switch to using iptables, however there is something i do not understand.
with UFW i used to enable, start on boot, then DROP all INCOMING and ALLOW a few OUTGOING rules.
on iptables, it seems that ACCEPT OUT and DROP INCOMING disables all network traffic, then after allowing a few INCOMING rules, i can establish traffic.
why is this difference between UFW and iptables regarding blocking INCOMING traffic?
is it safe to allow a "few" INCOMING traffic?
is there a way to drop all INCOMING traffic on iptables just like with UFW and still establish internet connectivity?
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
newbie iptables question
Re: newbie iptables question
UFW by default allows INCOMING established/related traffic. This is done using the 'conntrack' (connection tracking) module in the kernel, which you use within iptables via the 'state' rule selector.
This means if you allow outgoing traffic (needs to be marked to keep track of it), it can allow any corresponding incoming traffic that matches it back in, while not allowing other traffic.
Look for iptables explanations for "state RELATED,ESTABLISHED" rules. In UFW, they're usually in the ufw-before-input chain. There is also a matching "state NEW" that needs to be in the output chain somewhere (in UFW, ufw-track-output), otherwise the sessions won't be tracked.
Also, there's "state INVALID" which checks for packets that have invalid states (ie: due to bugs in OS's/Routers or more likely someone trying to actively bypass/probe your firewall). UFW puts those in the ufw-before-input chain, but they're also checked in a few other places to limit how much logging of them is done (so your logs don't get full).
This means if you allow outgoing traffic (needs to be marked to keep track of it), it can allow any corresponding incoming traffic that matches it back in, while not allowing other traffic.
Look for iptables explanations for "state RELATED,ESTABLISHED" rules. In UFW, they're usually in the ufw-before-input chain. There is also a matching "state NEW" that needs to be in the output chain somewhere (in UFW, ufw-track-output), otherwise the sessions won't be tracked.
Also, there's "state INVALID" which checks for packets that have invalid states (ie: due to bugs in OS's/Routers or more likely someone trying to actively bypass/probe your firewall). UFW puts those in the ufw-before-input chain, but they're also checked in a few other places to limit how much logging of them is done (so your logs don't get full).