Tuesday, November 30, 2010

iptables state and cisco firewalls

RedHat's {G,T}UI allows one to easily run iptables to allow connections only on certain ports. So if you allowed only HTTPS the following rule would be added to /etc/sysconfig/iptables:
- -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
The above however is for NEW connections only. However, a rule like the following is also added by RedHat's tool which allows anything related to an existing state entry to pass:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
This all seems reasonable but I'm having a problem where packets are in an INVALID state and are getting blocked by iptables (confirmed with an iptables log). The workaround that my colleague came up with is to drop state out of the equation by simply having:
- -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
The same colleague also found a blog post on Cisco PIX mangled packets and iptables state tracking which offers are much more satisfying explanation. We're looking into this further.

No comments: