When using iptables firewall rules, why assert NEW state on all allowed ports?
I often see iptables configured to allow all pakets to RELATED connections, and the specific service ports to NEW connections.
What is the reason for stating NEW? If an connection is not NEW, it is RELATED I guess, so the specific port rule will execute neither. So why to explicitely define the service ports with NEW and not just protocoll and port number?
Solution 1:
The rules in a netfilter firewall (iptables) are checked sequentially and the fate of the packet (ACCEPT, DROP, REJECT etc.) is determined on a first-match basis.
By making the firewall statefull and the first rule the typical -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
the vast majority of legitimate traffic to your server is accepted after passing only that single rule. That traffic doesn't need to traverse any other rules.
Depending the size of your rule base that can mean a significant difference in your firewall performance.
The only traffic that the firewall now needs to validate are the explicitly new connections.
I.e. compare a firewall for a public webserver with access for a handful webmasters from their workstations:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m iprange --src-range 10.9.8.7-10.9.8.10 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
Roughly 99% of legitimate packets will belong to established connections, only hitting the first rule. Of the packets not matching that rule, the majority should be new connections to your website, the multiport module can grant access to either HTTP or HTTPS in a single rule. The webmasters log in from a number of workstations with fixed addresses using ssh and sftp and everything else is rejected.
A firewall where the rules are ordered logically by the TCP port:
-A INPUT -p tcp -m tcp --dport 22 --source 10.9.8.7 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --source 10.9.8.8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --source 10.9.8.9 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --source 10.9.8.10 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Here each and every packet to your HTTP webserver would need to be checked against 5 rules before access is granted. And with more services running on a server that can easily become 50 rules or much more when you for instance would use fail2ban or similar products.
Solution 2:
NEW
means that the packet has started a new connection.
It is handled by kernel modules called ip_conntrack_*
that make your Firewall stateful.
Stateful firewalls can watch traffic streams.
If you just specify protocol and port number, your Firewall is not stateful but stateless. Means that it just restricts or block packets. These type of firewalls are not aware of data flows.
A good example is FTP : active FTP uses port 21 for control channel but then uses port 20 for data channel. In case of a stateful Firewall, you don't need to explicitely open port 20 because it is related to a previous new established connexion on port 21.
Here is an extract of iptables
man page :
NEW -- meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions.
ESTABLISHED -- meaning that the packet is associated with a connection which has seen packets in both directions.
RELATED -- meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.
Solution 3:
-A INPUT -m tcp -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -DROP
The Above ruleset will let packets to TCP port 22 with a state of INVALID
through ACCEPT
Invalid: If none of the previous states apply the packet is in state INVALID. This could be caused by various types of stealth network probes, or it could mean that you're running out of CONNTRACK entries (which you should also see stated in your logs). Or it may simply be entirely benign.
https://unix.stackexchange.com/questions/57423/how-to-understand-why-the-packet-was-considered-invalid-by-the-iptables
Asserting STATE NEW
ensures that INVALID packets are not mistakenly accetped.
And to clarify the meanings:
- NEW: This is a new Connections
- ESTABLISHED: This is a packet involved in a current connection
- RELATED: This is a new connection, but has been predicated by an existing connection
- INVALID: None of the above apply.