Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A VB NAT connection its just like a simple router. All outgoing traffic but no new connections on the input side.
iptables are flushed but if policy is dropped nothing is going work.
One example would be that RELATED is needed for receiving an ICMP error in response to an attempted outgoing message.
If you are going to adapt the filter rules for your own use later, then I'll say yet again that you might look at nftables. These would be of use for that:
After you get your grade be sure to get some entertainment out of asking why iptables is still being taught instead of keeping up with current developments.
Now I stripped it even more, and still have access to internet. I must have misunderstood something here, clearly, because to me this should drop all incoming packets and make me loose my connection.
ESTABLISHED The packet is associated with a connection which has seen packets in both directions.
Since you are allowing a new,established for the output, traffic is now established so
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
becomes a generic rule for all incomming traffic that is already established or originated from that computer. As an example you can ssh to another computer but can not ssh from another computer to this one. A "generic" established rule allows any input from other services like NTP, network printing or updates.
Where as
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Only allows traffic established on a specific port i.e ssh.
Just to help clarify:
During the TCP handshake, you send a connection request to an outside server; that is NEW.
The server sends back a ACK+SYN; that is RELATED.
You send a ACK back to the server that you are SYNc'd; you are now ESTABLISHED.
From the other direction:
BadActor tries to connect to your server; that is NEW..... -j DROP
You don't want NEW -j ACCEPT on the INPUT chain unless it also references a specific port/service that you are knowingly making available.
I wanted to share with you, for posterity's sake, the solution I used.
Again, the goal being to ALLOW only ESTABLISHED connections on the INPUT, on ports required to connect to webpages on the internet. Only via OUTPUT should NEW connections be possible.
It seems I misunderstood some concepts along the way, hopefully the rules are a little bit clearer now.
If you think there's something that I should add / strip away, please feel free to come with suggestions.
I think this was mentioned above, but it probably got lost with the flood of information but your INPUT lines should be checking the connection tracking state (ctstate) of the SOURCE port not the DESTINATION.
--dport should be --sport on all INPUT lines.
To show this, you can make an SSH connection to some computer. Then, in another window, run:
Code:
netstat -p | grep ssh
When I run this I get
Code:
tcp 0 0 192.168.66.2:41232 192.168.66.195:ssh ESTABLISHED 32596/ssh
This shows that my local host is using port 41232 and is connected to the ssh port (22) on the server. Your INPUT lines won't work because they are expecting both computers to be using port 22 (ssh) and the local host won't.
A very good reference for iptables firewalls is: "Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and L7-filter". It has very good real-world examples and explains everything quite well.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.