TCP filtering examples
Matthew Kirkwood
matthew@hairy.beasts.org
Fri, 10 Nov 2000 00:53:22 +0000 (GMT)
Hi,
Is there anywhere a good list of iptables building blocks of
varying complexity? Specifically, I know that there are several
ways to filter a TCP connection, some tighter, some faster.
To allow outgoing ssh, for example, I might do something like
this (this is vastly simplified):
# iptables -A OUTPUT -p TCP --dport ssh -j ACCEPT
# iptables -A INPUT -p TCP --sport ssh -j ACCEPT
This is pretty minimal and thus quite fast. However, one could
also do:
# iptables -A OUTPUT -p TCP --dport ssh -j ACCEPT
# iptables -A INPUT -p TCP --sport ssh ! --syn -j ACCEPT
which is clearly rather better, for limited additional cost.
Can this be improved upon without using conntrack?
The conntrackified version looks like:
# iptables -A OUTPUT -p TCP -m state --state NEW,ESTABLISHED \
> --dport ssh -j ACCEPT
# iptables -A INPUT -p TCP -m state --state ESTABLISHED \
> --sport ssh -j ACCEPT
(Maybe with the "! --syn" in there too.)
Can this be improved upon in general?
Is there a middle-ground between full conntrack and simple SYN
filtering?
Cheers,
Matthew.