Re: IP Spoofing

[Ted Kaczmarek <tedkaz@optonline.net>]

It will allow sessions initiated from the host running iptables to allow
for connections to come back in that are in response to the packet the
host sends out.

If you don't allow the established related packets, you would have to
create a separate rule for each and every IP/Port pair you connect to,
that would allow those packets back in.

The tutorial's at http://iptables-tutorial.frozentux.net/ are some of
the best I have seen, you should add them to your list of reading along
with the other good links you have received.

Unfortunately explaining firewalls in simple terms is not possible.
If you really want to learn, some good materials would be Richard
Stephen TCP/IP Illustrated, you really need to know the protocol itself
before all the firewall technology will make sense.

Also keep in mind that a firewall running on a gateway device  is very
different than on a host.

As always, google is your friend.

Ted




On Fri, 2003-11-07 at 08:34, David C. Hart wrote:
> On Fri, 2003-11-07 at 07:26, Ted Kaczmarek wrote:
> > I would add an input established on that as well, makes it easier to do
> > upgrades.
> > 
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> Hi Ted:
> 
> If you have a moment, could you please explain (for the comparative IPT
> nitwits - including me) what that does?
> > 
> > I wish everyone did implicit DROP's, it would make the web a safer
> > place.
> 
> IBID
> 
> Thanks
> > 
> > :-)
> > 
> > 
> > 
> > Ted
> > 
> > 
> > On Wed, 2003-11-05 at 15:39, Antony Stone wrote:
> > > On Wednesday 05 November 2003 8:19 pm, Leandro Takashi Hirano wrote:
> > > 
> > > > Thanks Antony...
> > > >
> > > > Do you have a script or something where I can find protection rules?
> > > 
> > > You tell us what protection you want and we can suggest some rules to do it.
> > > 
> > > There's no single "magic ruleset" for netfilter / iptables which "protects 
> > > your network", otherwise every distribution would include it as standard.
> > > 
> > > It depends what you want to do.
> > > 
> > > A good starting point is:
> > > 
> > > iptables -P INPUT DROP
> > > iptables -P OUTPUT DROP
> > > iptables -P FORWARD DROP
> > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > iptables -A FORWARD -i $intIF -o $extIF -j ACCEPT
> > > 
> > > That will allow nothing in or out of the firewall machine itself, and will 
> > > allow all access from your internal network to the Internet, blocking 
> > > everything except reply packets from the Internet to your network.
> > > 
> > > I do not recommend that you simply implement the above rules before you 
> > > understand what they are designed to do.
> > > 
> > > Check Oskar Andreasson's excellent tutorial for more information about this 
> > > sort of configuration, or any of the other documentation at 
> > > http://www.netfilter.org
> > > 
> > > Antony.
> > 
> >