Why we have complex iptables settings for allowed services?

dronus asked:

On several server systems, I encountered two dominant styles of iptables firewall configurations:

The first one is blocking every INPUT except the ports of provided services like HTTP.

The second one is blocking every INPUT except packets for connections in NEW state for several services, with elaborate settings and all packets for connections in ESTABLISHED state. It is also blocking all OUTPUT packets except those of connections in ESTABLISHED state.

What kind of security does the latter provide that the first simple solution does not manage?

Of course it may be useful to block users using outgoing ports for their reason, but if I do not need to protect the server from it’s own users, but only from outside threats, are both methods identical, or will the second still provide benefits?

My answer:

The first type of firewall you have described is stateless. It is simplistic and does not keep track of connections; it just checks the given rules as fast as it can. This is not generally recommended anymore except in circumstances where firewall performance is a significant bottleneck, as it allows significantly more traffic than is obvious from first glance. Particularly, traffic which isn’t associated with a legitimate connection can pass through such a firewall.

The second type of firewall is stateful. It is capable of tracking connection states, determining whether a particular packet is associated with a known-good connection, and accepting or rejecting it. It is much better at catching invalid traffic than a stateless firewall. Without some overriding concern, all firewalls should be stateful for maximum possible security.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.