Results 1 to 4 of 4

Thread: iptables rule selection + new,related connections

  1. #1
    Join Date
    Jan 2009
    Location
    Denmark
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    iptables rule selection + new,related connections

    Hi all

    I have two questions i hope someone can help me with

    #1 Does iptables use the first rule that fulfills a criteria, or does iptables read all the rules and select the most specific?

    #2 If you have a 3G / 4G router that you wont allow to be contacted from the outside world >but< connections / sessions established from the local network through the router
    are allowed to cross in both directions?

    I know you can use the new, established and related keywords for this, but i have never quite figured out how and the information ( that i can find ) aren't defining these keywords that well.

    Thanks in advance
    Kind regards.

  2. #2
    Join Date
    Jan 2009
    Location
    Denmark
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: iptables rule selection + new,related connections

    anyone?

  3. #3
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,587
    Distro
    Ubuntu Development Release

    Re: iptables rule selection + new,related connections

    Quote Originally Posted by Drenriza View Post
    #1 Does iptables use the first rule that fulfills a criteria, or does iptables read all the rules and select the most specific?
    packets will traverse the iptables rule set in order. If the rule "fulfills a criteria" it follows that rule, and if that rule branches out somehow, then subsequent rules will not be tested against.

    Quote Originally Posted by Drenriza View Post
    #2 If you have a 3G / 4G router that you wont allow to be contacted from the outside world >but< connections / sessions established from the local network through the router
    are allowed to cross in both directions?
    Yes, that is how most iptables based routers / firewalls are setup. (I do not know what you mean by a 3G / 4G router. I am only answering about iptables).

    Quote Originally Posted by Drenriza View Post
    I know you can use the new, established and related keywords for this, but i have never quite figured out how and the information ( that i can find ) aren't defining these keywords that well.
    I don't know how to help with this. These are some of the most fundamental keywords in any iptables rule set. I don't know how to describe them any better than is already done in man iptables-extensions. Excerpt:
    Code:
           NEW    The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions.
    
           ESTABLISHED
                  The packet is associated with a connection which has seen packets in both directions.
    
           RELATED
                  The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.
    However, using tcp as an example, it might help to study how a new tcp connection is made, moving from the initial SYN packet to the ESTABLISHED state, via two way handshaking (i.e. a SYN ACK packet for the initial SYN).
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  4. #4
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: iptables rule selection + new,related connections

    1) The first matching rule takes precedence.

    2) I'm not sure what you're asking. If you're using a router, it will already masquerade your outbound traffic. You don't need any "established,related" rule of your own. In general, the router will be using the same type of rule, only accepting inbound traffic in reply to an outbound request.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •