Cpanel/WHM FAQs

Home | Webstats | Frontpage | Disk Quota | FTP Problems | MySql | Exim Notes | Basic Commands | TCP Wrappers | Kernel Compilation| Nagios| Harddisk Restoration| Cpanel Scripts| IPTables
Search Query

RSS site feed|Webmaster Stuff|International Calling Cards|Linux Recovery|Server Recovery|Hard Drive Recovery|Raid Recovery Password recovery tool

IPTables

1)IP Connection tracking feature

IP Connection tracking is the ability to maintain connection information in memory. This is new feature added in 2.4.xx Linux kernel. Eariler only commercial firewall has this feature but now it is part of Linux. It can remember connection states such as established & new connections along with protocol types, source and destination ip address. We can allow or deny access based upon state. Following are the states:

1) NEW - A Client requesting new connection via firewall host
2) ESTABLISHED - A connection that is part of already established connection
3) RELATED - A connection that is requesting a new request but is part of an existing connection.
4) INVALID - If none of the above three states can be referred or used then it is an INVALID state.

As an example, if we connect to ftp.redhat.com, It opens NEW (STATE) connection at ftp server.
If we download a file from ftp.redhat.com, ownload files from ftp server we call it ESTABLISHED connection.
In the case of passive ftp connection, client connection port is 20, but the transfer port can be any unused port 1024 or higher. We need to use RELATED state at firewall level if you wish to allow passive ftp access.

Use the following iptables rules if we like to allow passive FTP connection.

iptables -I INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

It also works with stateless protocol such as UDP. The following example allows connection tracking to forward only the packets that are associated with an established connection:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ALLOW

2)How to limit the number of incoming tcp connection/syn-flood attack

Syn flood is common attack and it can be block with following rule:
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN

In above example all incoming connection are allowed till limit is reached.
--limit 1/s: Maximum average matching rate in seconds
--limit-burst 3: Maximum initial number of packets to match

Please send comments on these web pages to sumith at sumith.net

copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 Sumith Sreedhar
Verbatim copying and redistribution of this entire page are permitted provided this notice is preserved.

Valid HTML 4.01!