AW: [Dshield] Switched from ipchains -> iptables ... some questions.
Johannes B. Ullrich
jullrich at sans.org
Thu May 2 12:52:21 GMT 2002
> If anyone else has experienced this change I'd also appreciate comments.
First of all, there is no urgent reason to switch. ipchains is still a
valid and good way to build a firewall.
The main issue about iptables is 'features'... iptables has a lot more to
offer in terms of filtering rules. The main new idea it implements is
a stateful firewall.
A little scriplet:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW --dport 80 -j ACCEPT
The first rule allows all packets that are part of an established
connection to pass. ('related' refers to things like ICMP messages
that may be related to an existing connection).
The second rule will allow new connections, if they go to port 80
(for example, if you are running a web server.
This is much better than having to inspect flags.
Some other (a bit more obscure) topics iptables covers:
- filtering by TTL, to avoid traceroute/firewalker probes.
- filtering by MAC address to avoid people connecting new
laptops to a network.
- filtering by payload length
- filtering by packet content (wasn't working right last time
- more customizable logging (which can be a pain if you try and
parse it ;-) ).
and lots more...
In short: yes, you should switch to iptables at some point. But
don't rush it. I like Bob Ziegler's book ("Linux Firewalls").
Get the 2nd edition. the 1st covers only ipchains AFAIK.
Also, for somewhat advanced users: yesterday's SANS webcast
had some interesting ideas about filtering packets from
Chris Brenton. I think the webcast is archived and there should
be a link on the sans.org homepage.
> As this is "slightly OT" please reply to g.dodd at falk-ross.de
I think this is 'on topic'
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
More information about the list