Content #
TCP connection state and ongoing UDP exchange information can be maintained, allowing network exchanges to be filtered as NEW, ESTABLISHED, RELATED, or INVALID:
-
NEW is equivalent to the initial TCP SYN request, or to the first UDP packet.
-
ESTABLISHED refers to the ongoing TCP ACK messages after the connection is initiated, to subsequent UDP datagrams exchanged between the same hosts and ports, and to ICMP echo-reply messages sent in response to a previous echo-request.
-
RELATED currently refers only to ICMP error messages. FTP secondary connections are managed by the additional FTP connection tracking support module. With the addition of that module, the meaning of RELATED is extended to include the secondary FTP connection.
-
An example of an INVALID packet is an incoming ICMP error message that wasn’t a response to a current session, or an echo-reply that wasn’t a response to a previous echo-request.
A DNS forwarding name server uses server-to-server communication. DNS traffic is exchanged between source and destination ports 53 on both hosts. The UDP client/server relationship can be made explicit. The following rules explicitly allow outgoing (NEW) requests, incoming (ESTABLISHED) responses, and any (RELATED) ICMP error messages:
iptables -A INPUT -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT --out-interface <interface> -p udp \
-s $IPADDR --source-port 53 -d $NAME_SERVER --destination-port 53 \
-m state --state NEW,RELATED -j ACCEPT
DNS uses a simple query-and-response protocol. But what about an application that can maintain an ongoing connection for extended periods, such as an FTP control session or a telnet or SSH session? If the state table entry is cleared out prematurely for some reason, future packets won’t have a state entry to be matched against to be identified as part of an ESTABLISHED exchange.
The following rules for an SSH connection allow for that possibility:
iptables -A INPUT -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT --out-interface <interface> -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $REMOTE_SSH_SERVER --destination-port 22 \
-m state --state NEW, -j ACCEPT
iptables -A OUTPUT --out-interface <interface> -p tcp ! --syn \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $REMOTE_SSH_SERVER --destination-port 22 \
-j ACCEPT
iptables -A INPUT --in-interface <interface> -p tcp ! --syn \
-s $REMOTE_SSH_SERVER --source-port 22 \
-d $IPADDR --destination-port $UNPRIVPORTS \
-j ACCEPT
From #
Linux Security: Enhancing Security with nftables and Beyond