Iptables And Connection Tracking; Ipv6 - Red Hat ENTERPRISE LINUX 4 System Administration Manual

Chapter 18. Firewalls
Note
There is a distinction between the DROP and REJECT targets when dealing with appended
rules.
The REJECT target denies access and returns a connection refused error to users
who attempt to connect to the service. The DROP target, as the name implies, drops the
packet without any warning.
Administrators can use their own discretion when using these targets. However, to avoid
user confusion and attempts to continue connecting, the REJECT target is recommended.

18.7. IPTables and Connection Tracking

You can inspect and restrict connections to services based on their connection state. A module within
iptables uses a method called connection tracking to store information about incoming connections.
You can allow or deny access based on the following connection states:
• NEW — A packet requesting a new connection, such as an HTTP request.
• ESTABLISHED — A packet that is part of an existing connection.
• RELATED — A packet that is requesting a new connection but is part of an existing connection.
For example, FTP uses port 21 to establish a connection, but data is transferred on a different port
(typically port 20).
• INVALID — A packet that is not part of any connections in the connection tracking table.
You can use the stateful functionality of iptables connection tracking with any network protocol,
even if the protocol itself is stateless (such as UDP). The following example shows a rule that uses
connection tracking to forward only the packets that are associated with an established connection:
[root@myServer ~ ] # iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

18.8. IPv6

The introduction of the next-generation Internet Protocol, called IPv6, expands beyond the 32-bit
address limit of IPv4 (or IP). IPv6 supports 128-bit addresses, and carrier networks that are IPv6
aware are therefore able to address a larger number of routable addresses than IPv4.
Red Hat Enterprise Linux supports IPv6 firewall rules using the Netfilter 6 subsystem and the
ip6tables command. In Red Hat Enterprise Linux 5, both IPv4 and IPv6 services are enabled by
default.
The ip6tables command syntax is identical to iptables in every aspect except that it supports
128-bit addresses. For example, use the following command to enable SSH connections on an IPv6-
aware network server:
[root@myServer ~ ] # ip6tables -A INPUT -i eth0 -p tcp -s 3ffe:ffff:100::1/128 --dport 22 -j
ACCEPT
186