Stateful Rules

When creating a rule to match packets that always use the same port numbers, everything is easy. Unfortunately, this isn't always the case. For example, a user who connects to a web server will always connect to that web server on port 80, but the packets that go back from the web server go out on a port number that is randomly chosen from a port number greater than 1024. You could create a rule in which outgoing packets on all ports greater than 1024 are opened, but that's not ideal for security reasons. A smart way of dealing with this problem is by using stateful packet filters. A stateful packet filter analyzes whether a packet that goes out is part of an already established connection, and if it is, it will allow the answer to go out. Stateful packet filters are useful for replies that are sent by web servers and for FTP servers as well, since in the case of an FTP server the connection is established on port 21, and once the session is established, data is sent over port 20 to the client.

By using the --state option, you can indicate at what state a rule should look. This functionality, however, is not part of the core netfilter modules; an additional module has to be loaded to allow for state checking. Therefore, in every rule that wants to look at the state that a packet is in, first the -m state option is used, followed by the state the rule is looking at; for example, -m state --state RELATED,ESTABLISHED would look at packets that are part of related packets that are already allowed or packets that are part of an established session.

The state module is not the only module you can use. Many other modules are available for more advanced configurations. There is, for example, the nth module, which allows you to look at every nth (every 3rd, for example) packet. Further discussion of modules is beyond the scope of this book.

Was this article helpful?

0 0

Post a comment