On Monday 26 May 2008 22:10:54 Robert Spangler wrote:
With IPTABLES once a rule matches and is accepted it stops processing the packet and sends it on it's way. NEW does not stop IPTABLES from processing the packet as it is supposed to, it just applies the rule if the packet is new. This is why you place ESTABLISHED,RELATED at the top of your rule sets and use the NEW statement in your rules.
Let us take a look at the following rules set for an example. This could be applied to a web server in a DMZ.
iptables INPUT -p DROP iptables OUTPUT -p DROP iptables FORWARD -p DROP iptables INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -j ACCEPT iptables INPUT -i eth0 -j DROP **(I always place this statement)** iptables OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables OUTPUT -o eth1 -j DROP **(I always place this statement) **
Now lets say you don't use the NEW as in your rules set. Now every packet has to traverse the rule set each time because there is no NEW rule to add it to the conntracking table. Now lets say that you have a couple hundred rules in your firewall. Now the packet has to traverse the entire rule set everything it comes in. This will slow down your firewall. This type of firewall is known as CONNECTIONLESS. meaning it doesn't care if the packet was seen before or not, it must traverse the chain.
I hope this has given you a better understanding of how IPTABLES works.
This is surely 'NEW' to me. And I thank you for that. I've been reading many iptables tutorials, but your explanation is clearest to me. I owe you one this. Thanks for sparing your time explaining those.
I hope I was able to help you with your quest.
Yes! And that's why I love the Centos list. It's full of many very nice - helpful person.
Thank you again.