Why not to use -m match and –state with iptables
Something I learned recently:
The iptables tool is wonderful, especially if you’re suddenly getting a lot of traffic that you don’t want. Recently, I’ve been seeing a message in the logs, warning “ip_conntrack: table full, dropping packet.”
“WTF? How can the connection tracking table be full? I’m not using connection tracking…”
It turns out that rules that use the “match” plugin and check a connection’s state start tracking that connection, just in case you ever want to match against ESTABLISHED or RELATED states. Let me explain with an example.
Some firewalls are set up with a rule like the following:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow packets from existing connections through" -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow new connections to HTTPD" -A INPUT -j DROP -m comment --comment "Drop everything else on the floor"
This, however, has a problem: once you get a LOT of simultaneous connections, it will fill the connection tracking table and your firewall may start behaving erratically. This can be handled in one of two ways.
If you really need to match against new connections, replace
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
with:
-A INPUT -m tcp -p tcp --syn --dport 80 -j LOG
Don’t forget that the rule above will only cover new connections. Most of the time, however, you just want to accept all traffic on the port, new or otherwise:
-A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
Easy when you know how. And why.
Leave a Reply