1

Usually connection tracking is required for outbound connections to allow established connections back in, for instance:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

I don't have connection tracking enabled on my server so I was wondering if there are any alternative rules or solution for this?

HTF
  • 3,050
  • 14
  • 49
  • 78
  • Create lots of stateless rules, like we did back in the ol' ipchains days. – Zoredache Dec 18 '14 at 19:32
  • You meant ctstate instead of state right ? How does it come you don't have connection tracking enabled ? – Xavier Lucas Dec 20 '14 at 23:21
  • I meant `state` and I think both modules use the same kernel internals underneath, `ctstate` is just a newer implementation It's a OpenVZ hypervisor and connection tracing is disabled due to some permanence problems: https://bugzilla.openvz.org/show_bug.cgi?id=2755 – HTF Dec 22 '14 at 09:10

1 Answers1

2

iptables -A INPUT -p tcp ! --syn -j ACCEPT will allow any non-SYN TCP packets through. It doesn't give you RELATED (viz. connections allowed because of other connections, eg. ftp->ftp-data), nor does it drop connections that weren't properly ESTABLISHED, but linux won't do anything with it if it is unexpected -- it gets dropped to the floor. If you need UDP, you're in for some fun enumerating allowed connections.

Andrew Domaszek
  • 5,103
  • 1
  • 14
  • 26