Linux firewall packet handling

Question

When a client communicates with a the server via HTTP, for example, there are many packets going in both directions. It means from the client to the server and vice versa.

I would like to ask how exactly Linux firewall or iptables installed on the client machine applies rules to these packets.

My possible explanations are:

Only for the first packet sent from the client to the server it is determined based on the iptables rules what happens with the package. For the response packet from the server is applied the same rule as for the initial packet, e.g. REJECT, ACCEPT.
Each packet irrespective if it is the initial packed or a response is handled by the iptables separately. iptables in this case does not care if the packet is a part of a connection to some server or if it is just a separate packet.

The jargon is either a simple packet filter (1) or a [statefull firewall](https://en.wikipedia.org/wiki/Stateful_firewall) (2) and which depends on the actual config as Florin explained. The most common firewall filters only incoming connections, which would not hinder any traffic over connections initiated on the client, but a more advanced concept is [egress filtering](https://en.wikipedia.org/wiki/Egress_filtering). — HBruijn, Sep 11 '16 at 18:50

Florin Asăvoaie · Answer 1 · 2016-09-12T07:12:57.097

3

It highly depends on your configuration. Iptables doesn't do anything by default. In my experience, I've seen the following two practices as most common:

The allow rule accepts all incoming packets with a certain destination port & no outgoing rules. Eventually accept all packets from a specific source network with a certain destination port. As you can imagine, there would be no problems with subsequent packets in this case.
The allow rule accepts only the first packet of new connections with a certain destination port. Then there is another rule that uses the connection tracking mechanism from iptables that matches packets RELATED to an already ESTABLISHED connection. Of course, this would be a way better solution than the previous one in many cases.

edited Sep 12 '16 at 07:12

answered Sep 11 '16 at 15:03

Florin Asăvoaie

6,932
22
35

I think it should be: "The **incoming** rule accepts all packets with a certain destination port..." – user375197 Sep 11 '16 at 22:48
While that should be obvious for someone working on such a task, I agree with you and edited the answer. – Florin Asăvoaie Sep 12 '16 at 07:13
I think it is still incorrect. There is nothing like "the allow rule". There can be only a rule which decides to allow a packet uder certain conditions. – user375197 Sep 12 '16 at 13:01
Exactly, that's why it is THE allow rule, the on specific to allowing these packets. – Florin Asăvoaie Sep 12 '16 at 13:10

Linux firewall packet handling

1 Answers1