Stateful Packet Inspection Firewall (How could I tell)??
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Stateful Packet Inspection Firewall (How could I tell)??
By looking at this firewall script (Or IPtables), could someone please tell me if this is a Stateful Packet Inspection firewall IPtable??
If its not, could someone please post a powerful Stateful Packet Inspection Iptables firewall for me please??? I would appreciate it since I can't grasp the concept of IPtables.
Please note: That I am using the computer ONLY for emails and basic Internet surfing. Thats all. All of my Network Servers like Samba/Apache are all disabled under Services. Its a stand-alone computer. So, all I need is a Stateful Packet Inspection firewall code, if someone is kind enough to post it for me. Thank You!!! I REALLY NEED A STATEFUL PACKET INSPECTION code. I really really wish. Please, I would highly appreciate it.
======================================
Here is the current firewall script that Im running below: And by looking at this current code, could someone here tell me if this is a Stateful Packet Inspection IPtable???
Code:
#PROC SETTINGS
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block pings to broadcast IP (smurf)
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians #Log non-routable IPs
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route #Block source-routed packets
iptables -F
iptables -t nat -F
iptables -X
iptables -Z
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
#DROP BAD PACKETS
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP #DROP NEW NOT SYN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #DROP SYN-FIN SCANS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #DROP SYN-RST SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #DROP X-MAS SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP #DROP NMAP FIN SCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP #DROP NULL SCANS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP #DROP ALL/ALL SCANS
#LOG AND DROP IANA RESERVED/BOGONS
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Iptables uses statefull packet inspection. The fact that your script has rules filtering by connection states (NEW, ESTABLISHED, RELATED) in multiple rules indicates that your firewall is already doing statefull filtering. In fact the ruleset you posted relies almost entirely on statefull inspection (it basically only allows connections that you initiate, so incoming packets must be part of an established connection). A non-statefull firewall can't track connection states and use other mechanisms, like classifying all ACK packets as part of an established connection, regardless of whether a SYN was previously received or not.
Last edited by Capt_Caveman; 02-09-2005 at 11:25 AM.
But could you please confirm me one more time that the code that I posted (which I am using now) on here does Stateful Packet Inspection?
And that code what I posted above, how can I tell that its using Stateful Packet Inspection???
As Capt_Caveman said, Netfilters (iiptables) is a stateful packet filter. Basically a stateful firewall examinse each packet and deterimne whether they are legit or not.
Thanks I got it. I really thank you very much for your help.
I appologize, even I had read numerous manuals about the Linux firewall, I still do not or cannot grasp it in my head. Its very complicated.... But I will try my best to resolve this.
The firewall script that I posted above (Post#1), is that a Stateful Packet Inspection firewall script? Please confirm on more time please, I would appreciate it.
And remember, I want to use this script for Dial-Up and DSL connections....
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.