Is outbound rule needed for http responses?

Is outbound rule needed for http responses?

[Adesina Adebiyi]

[-- Attachment #1: Type: text/plain, Size: 514 bytes --]

Hello gentle expert,

I am trying to adapt the iptables firewall for my hosting server.  That is, http, https will be running on it to serve ecommerce clients.  I have adapted rules to allow tcp inbound services for port 80 and 443.  To be able to respond to the requesting clients, do I need corresponding tcp outbound services on port 80 and 443? Or does the first inbound rule take care of this automatically since anyone that makes a tcp request is most likely to expect a reply?

Regards,

Adesina



[-- Attachment #2: Type: text/html, Size: 1206 bytes --]

Re: Is outbound rule needed for http responses?

[Antony Stone]

On Sunday 07 March 2004 9:37 pm, Adesina Adebiyi wrote:

> Hello gentle expert,
>
> I am trying to adapt the iptables firewall for my hosting server.  That is,
> http, https will be running on it to serve ecommerce clients.  I have
> adapted rules to allow tcp inbound services for port 80 and 443.  To be
> able to respond to the requesting clients, do I need corresponding tcp
> outbound services on port 80 and 443?

That depends on what your ruleset says.

If you DROP all OUTPUT packets, then of course your INPUT rules will do 
nothing useful, because replies won't get out.

If you allow ESTABLISHED,RELATED packets in OUTPUT, then people will get 
replies to whatever services you enable in INPUT (but the box itself will not 
be able to generate any NEW outbound connections, eg: DNS, unless you allow 
an OUTPUT rule for these).

I suggest you tell us your ruleset (either the iptables commands which set up 
the rules, or the output of "iptables -L -nv; iptables -L -t nat -nv", 
please, not the format created by iptables-save), and tell us what you want 
the ruleset to do, and we can help a bit more specifically.

Regards,

Antony.

-- 
If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Is outbound rule needed for http responses?

[David Cannings]

On Sunday 07 March 2004 21:37, Adesina Adebiyi wrote:
> Hello gentle expert,
>
> I am trying to adapt the iptables firewall for my hosting server.  That
> is, http, https will be running on it to serve ecommerce clients.  I
> have adapted rules to allow tcp inbound services for port 80 and 443. 
> To be able to respond to the requesting clients, do I need
> corresponding tcp outbound services on port 80 and 443? Or does the
> first inbound rule take care of this automatically since anyone that
> makes a tcp request is most likely to expect a reply?

This is what ESTABLISHED and RELATED are for, you might like to add rules 
that use these two states.  I use the following in my firewall script, 
you may wish to be a bit stricter.  Also, if you have a default DROP rule 
on your OUTPUT chain, you'll need to add a similar rule in there too.

# Allow anything that's already setup
iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Hope that helps,

David