[CentOS] IPTables help
Fajar Priyanto
fajarpri at cbn.net.id
Tue May 27 12:13:31 UTC 2008
On Monday 26 May 2008 22:10:54 Robert Spangler wrote:
> With IPTABLES once a rule matches and is accepted it stops processing the
> packet and sends it on it's way. NEW does not stop IPTABLES from
> processing the packet as it is supposed to, it just applies the rule if the
> packet is new. This is why you place ESTABLISHED,RELATED at the top of
> your rule sets and use the NEW statement in your rules.
>
> Let us take a look at the following rules set for an example.
> This could be applied to a web server in a DMZ.
>
> iptables INPUT -p DROP
> iptables OUTPUT -p DROP
> iptables FORWARD -p DROP
> iptables INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -j ACCEPT
> iptables INPUT -i eth0 -j DROP **(I always place this statement)**
> iptables OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables OUTPUT -o eth1 -j DROP **(I always place this statement) **
> Now lets say you don't use the NEW as in your rules set. Now every packet
> has to traverse the rule set each time because there is no NEW rule to add
> it to the conntracking table. Now lets say that you have a couple hundred
> rules in your firewall. Now the packet has to traverse the entire rule set
> everything it comes in. This will slow down your firewall. This type of
> firewall is known as CONNECTIONLESS. meaning it doesn't care if the packet
> was seen before or not, it must traverse the chain.
>
> I hope this has given you a better understanding of how IPTABLES works.
This is surely 'NEW' to me. And I thank you for that. I've been reading many
iptables tutorials, but your explanation is clearest to me. I owe you one
this. Thanks for sparing your time explaining those.
> I hope I was able to help you with your quest.
Yes! And that's why I love the Centos list. It's full of many very nice -
helpful person.
Thank you again.
--
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial
http://linux2.arinet.org
19:12:28 up 26 min, 2.6.22-14-generic GNU/Linux
Let's use OpenOffice. http://www.openoffice.org
The real challenge of teaching is getting your students motivated to learn.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20080527/e2d87b35/attachment.sig>
More information about the CentOS
mailing list