TCP Connection States and fwsnort Chains

Because of the relative importance of applying Snort rules to established TCP sessions through the use of the Snort flow: established option, fwsnort creates special chains for such rules. The names for these chains simply append the string _ESTAB to each of the fwsnort chains mentioned previously. Once all of the fwsnort chains have been created, jump rules are added that use the iptables state match to send TCP packets that are part of established sessions to the appropriate _ESTAB chain. For example, packets in the FWSNORT_INPUT chain are jumped to the FWSNORT_INPUT_ESTAB chain, as shown here:

############

Create fwsnort iptables chains. ############

$IPTABLES

-N

FWSNORT

INPUT 2> /dev/null

$IPTABLES

-F

fwsnort"

INPUT

$IPTABLES

-N

fwsnort"

jNPUT_ESTAB 2> /dev/null

$IPTABLES

-F

fwsnorT

INPUT_ESTAB

$IPTABLES

-N

fwsnort"

OUTPUT 2> /dev/null

$IPTABLES

-F

FWSNORT

OUTPUT

$IPTABLES

-N

FWSNORT

OUTPUT_ESTAB 2> /dev/null

$IPTABLES

-F

fwsnorT

OUTPUT_ESTAB

$IPTABLES

-N

fwsnort"

FORWARD 2> /dev/null

$IPTABLES

-F

fwsnorT

FORWARD

$IPTABLES

-N

fwsnorT

FORWARD_ESTAB 2> /dev/null

$IPTABLES

-F

fwsnorT

FORWARD_ESTAB

############ Inspect ESTABLISHED tcp connections. ############

############ Inspect ESTABLISHED tcp connections. ############

2 For more information on host security issues and hardening strategies, Bastille Linux (http://www.bastille-linux.org) provides lots of great educational information, along with the ability to automatically harden various Linux distributions.

$IPTABLES -A FWSNORT_INPUT -p tcp -m state --state ESTABLISHED -j FWSNORT_INPUT_ESTAB

$IPTABLES -A FWSNORT_OUTPUT -p tcp -m state --state ESTABLISHED -j FWSNORT_OUTPUT_ESTAB

$IPTABLES -A FWSNORT_FORWARD -p tcp -m state --state ESTABLISHED -j FWSNORT_FORWARD_ESTAB

Was this article helpful?

0 0

Post a comment