1,234
edits
Changes
→Overview
[[Image:iptables.png]]
This diagram applies to pretty much every service. Note that:
* In this diagram there are two sets of IPtables rules: OUTPUT/INPUT on the client and INPUT/OUTPUT on the server.
* Outbound traffic (Firefox connecting to the web server) is rarely blocked unless there is a business policy to prevent some kind of traffic, and even then it's usually done on a router (that's a topic for later).
* Inbound traffic is of two distinct types, in our diagram we have both:
*# New incoming connections (what you normally think of as inbound traffic): the web server receives a new incoming connection.
*# Incoming data that's a response to a request: the web page that the server sent back in the diagram above.
* We normally don't want to do anything special for the response. It's a safe assumption that a connection that was allowed to be established should be allowed to receive a response. This is accomplished with the following INPUT chain rule that should be there by default on your machines:
<pre>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED</pre>
* Rules are applied to chains (e.g. input/output), protocols (e.g. tcp/udp/icmp), and ports (e.g. 22, 80, 443).
*# For the request the source port (sport) is 40112 and the destination port (dport) is 80
*# For the response the source port is 80 and the destination port is 40112
* Because we have the RELATED,ESTABLISHED rule we only care about controlling the incoming traffic, which in our example on the server is INPUT TCP destination port 80.
= Setup =