[CentOS] IPTables help

Tue May 27 12:13:31 UTC 2008
Fajar Priyanto <fajarpri at cbn.net.id>

On Monday 26 May 2008 22:10:54 Robert Spangler wrote:
> With IPTABLES once a rule matches and is accepted it stops processing the
> packet and sends it on it's way.  NEW does not stop IPTABLES from
> processing the packet as it is supposed to, it just applies the rule if the
> packet is new.  This is why you place ESTABLISHED,RELATED at the top of
> your rule sets and use the NEW statement in your rules.
>
> Let us take a look at the following rules set for an example.
> This could be applied to a web server in a DMZ.
>
> iptables INPUT   -p DROP
> iptables OUTPUT  -p DROP
> iptables FORWARD -p DROP
> iptables INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -j ACCEPT
> iptables INPUT -i eth0 -j DROP **(I always place this statement)**
> iptables OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables OUTPUT -o eth1 -j DROP **(I always place this statement) **

> Now lets say you don't use the NEW as in your rules set.  Now every packet
> has to traverse the rule set each time because there is no NEW rule to add
> it to the conntracking table.  Now lets say that you have a couple hundred
> rules in your firewall.  Now the packet has to traverse the entire rule set
> everything it comes in.  This will slow down your firewall.  This type of
> firewall is known as CONNECTIONLESS. meaning it doesn't care if the packet
> was seen before or not, it must traverse the chain.
>
> I hope this has given you a better understanding of how IPTABLES works.
This is surely 'NEW' to me. And I thank you for that. I've been reading many 
iptables tutorials, but your explanation is clearest to me. I owe you one 
this. Thanks for sparing your time explaining those.

> I hope I was able to help you with your quest.
Yes! And that's why I love the Centos list. It's full of many very nice - 
helpful person.

Thank you again.
-- 
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial 
http://linux2.arinet.org
19:12:28 up 26 min, 2.6.22-14-generic GNU/Linux 
Let's use OpenOffice. http://www.openoffice.org
The real challenge of teaching is getting your students motivated to learn.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20080527/e2d87b35/attachment-0005.sig>