IP tables question

Hello,

I undestad that we are allowing port s 7000 - 7050


iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7050  -j ACCEPT


Do you why we have  "-m state --state NEW " this option?
mokkanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steven CarnahanNetwork ManagerCommented:
-m state --state NEW — The matching packet is either creating a new connection or is part of a two-way connection not previously seen.

-m state is used to set up the matching criteria (in this case the state) and then the --state NEW is used to set the criteria to new connections only. Established connections should not be affected by this command.
0
mokkanAuthor Commented:
Thank you very much. In this case what is the difference beween these 2 commands. Both are doing same thing. Second command check the connection state, before accept. Am I right?

iptables -A INPUT  -p tcp --dport 7000:7050  -j ACCEPT


iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7050  -j ACCEPT
0
Steven CarnahanNetwork ManagerCommented:
The difference is that you are limiting the command to new connections in the first command. Other than that I believe that they both perform the same function.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

comfortjeaniusCommented:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7050  -j ACCEPT

This is using a stateful firewall technique. With this, iptables track the state of every connection such as NEW, ESTABLISHED, RELATED, UNTRACKED, and INVALID per the man pages.

NEW meaning that the packet has started a new connection, or otherwise associated with a connection which as not seen packets in both directions

ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions

RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.

INVALID meaning that the packet could not be identified for some reason which includes running out of memory and ICMP errors which don't correspond to any known connection.

UNTRACKED meaning that the packet is not tracked at all, which happens if you use the NOTRACK target in raw table.

iptables -A INPUT  -p tcp --dport 7000:7050  -j ACCEPT

This rule simply allows NEW inbound connection in the INPUT chain of iptables to port 7000:7050 but not tracking the state of the packet for later use.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mokkanAuthor Commented:
Thanks a lot.
0
comfortjeaniusCommented:
No problem
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.