Ryfujk

How to deal with taxi scam when on vacation?

Why doesn't the EU now just force the UK to choose between referendum and no-deal?

Can I use USB data pins as power source

How to simplify this time periods definition interface?

Hacking a Safe Lock after 3 tries

In a future war, an old lady is trying to raise a boy but one of the weapons has made everyone deaf

Min function accepting varying number of arguments in C++17

My adviser wants to be the first author

Is there a data structure that only stores hash codes and not the actual objects?

Happy pi day, everyone!

How to deal with a cynical class?

Why do passenger jet manufacturers design their planes with stall prevention systems?

The difference between「N分で」and「後N分で」

Why is the President allowed to veto a cancellation of emergency powers?

PTIJ: Who should I vote for? (21st Knesset Edition)

Brexit - No Deal Rejection

How to read the value of this capacitor?

Life insurance that covers only simultaneous/dual deaths

How to use deus ex machina safely?

Co-worker team leader wants to inject his friend's awful software into our development. What should I say to our common boss?

How to create the Curved texte?

How can I track script which gives me "command not found" right after the login?

Sailing the cryptic seas

A link redirect to http instead of https: how critical is it?

Iptables: Difference between RELATED and ESTABLISHED state?

iptables rules to block ssh remote forwarded portsiptables port forwardingFsockOpen problem with Iptables inside OpenVZ VMIptables ESTABLISHED,RELATED chain problemsiptables allow http incoming connections, state NEW, ESTABLISHEDWorkaround for state ESTABLISHED,RELATED to allow downloads?Configuring iptables on dd-wrt routerconnection has timed out, iptable settingsCentos 7 , Master-slave replication iptables?IPtables blocking SSH only if using conntrack

1

1

I've tried reading many articles on the internet but none of them are quite clear. I also know similar question has been posted here before but none of them explain my situation. Earlier I ended up wasting 2-3 hours because of this.

Manual says:

NEW -- meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and

ESTABLISHED -- meaning that the packet is associated with a connection which has seen packets in both directions,

RELATED -- meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.

My iptables on Server look like:

iptables -P FORWARD ACCEPT

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT



# Flush old rules

    iptables -F



# Loopback

    iptables -I INPUT 1 -i lo -j ACCEPT



# Allow responses from OUTPUT connection

    iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT



# Apache

    iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

    iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT



iptables -P FORWARD DROP

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

Whenever I try curl --verbose https://server_ip/ from my PC, it works perfectly. But when I tried this from inside the server after SSHing into it, it always stuck at CLIENT HELLO. Why it is happening? Note: curl --verbose http://server_ip/(without SSL) worked perfectly from both local PC and server.

After I executed iptables -A INPUT -m state --state RELATED -j ACCEPT, it started working from inside the server too. Again why it started working?

Manual says RELATED -- meaning that the packet is starting a new connection. Is it a security risk? Can a client open a connection to a different port using this? When it is useful?

ubuntu iptables firewall connection

share|improve this question

edited Mar 9 '16 at 15:02

VarunAgw

asked Mar 9 '16 at 10:57

VarunAgwVarunAgw

18717

bumped to the homepage by Community♦ 3 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  In a packet capture, what's the first packet you see with RELATED allowed which you don't see without the RELATED rule in there? My gut tells me this has something to do with the fact that, when you make a connection to the external-facing port, you are also allocating an external port. In other words, if your server's IP were 10.0.0.5, to connect to that IP from within the server you'd need to allocate a client port (say, 5029, to pick a random port) on that same IP address (so, 10.0.0.5:5029).
  
  – Parthian Shot
  Mar 9 '16 at 16:04
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I think the problem likely happens when 10.0.0.5:443 (https) tries to send packets back to 10.0.0.5:5029, which causes those packets to be run through the firewall ruleset, and for some reason those response packets are being blocked because they're for neither a NEW connection (they're SYN-ACK packets), nor are they for an ESTABLISHEDj connection (it's a half-open connection). However, I know it isn't exactly that, because if it were HTTP should also be failing.
  
  – Parthian Shot
  Mar 9 '16 at 16:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Short version? Run a packet capture with the rule, another packet capture without the rule, and show us both captures. Or look at them yourself and see if you can figure it out.
  
  – Parthian Shot
  Mar 9 '16 at 16:08
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Incidentally, you don't need the NEW,ESTABLISHED part later on. You can just use NEW for each of those, packets associated with an ESTABLISHED connection would already have been accepted by that point.
  
  – Parthian Shot
  Mar 9 '16 at 16:09
  

  
  
  
  

add a comment | 

1

1

I've tried reading many articles on the internet but none of them are quite clear. I also know similar question has been posted here before but none of them explain my situation. Earlier I ended up wasting 2-3 hours because of this.

Manual says:

NEW -- meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and

ESTABLISHED -- meaning that the packet is associated with a connection which has seen packets in both directions,

RELATED -- meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.

My iptables on Server look like:

iptables -P FORWARD ACCEPT

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT



# Flush old rules

    iptables -F



# Loopback

    iptables -I INPUT 1 -i lo -j ACCEPT



# Allow responses from OUTPUT connection

    iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT



# Apache

    iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

    iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT



iptables -P FORWARD DROP

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

Whenever I try curl --verbose https://server_ip/ from my PC, it works perfectly. But when I tried this from inside the server after SSHing into it, it always stuck at CLIENT HELLO. Why it is happening? Note: curl --verbose http://server_ip/(without SSL) worked perfectly from both local PC and server.

After I executed iptables -A INPUT -m state --state RELATED -j ACCEPT, it started working from inside the server too. Again why it started working?

Manual says RELATED -- meaning that the packet is starting a new connection. Is it a security risk? Can a client open a connection to a different port using this? When it is useful?

ubuntu iptables firewall connection

share|improve this question

edited Mar 9 '16 at 15:02

VarunAgw

asked Mar 9 '16 at 10:57

VarunAgwVarunAgw

18717

bumped to the homepage by Community♦ 3 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  In a packet capture, what's the first packet you see with RELATED allowed which you don't see without the RELATED rule in there? My gut tells me this has something to do with the fact that, when you make a connection to the external-facing port, you are also allocating an external port. In other words, if your server's IP were 10.0.0.5, to connect to that IP from within the server you'd need to allocate a client port (say, 5029, to pick a random port) on that same IP address (so, 10.0.0.5:5029).
  
  – Parthian Shot
  Mar 9 '16 at 16:04
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I think the problem likely happens when 10.0.0.5:443 (https) tries to send packets back to 10.0.0.5:5029, which causes those packets to be run through the firewall ruleset, and for some reason those response packets are being blocked because they're for neither a NEW connection (they're SYN-ACK packets), nor are they for an ESTABLISHEDj connection (it's a half-open connection). However, I know it isn't exactly that, because if it were HTTP should also be failing.
  
  – Parthian Shot
  Mar 9 '16 at 16:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Short version? Run a packet capture with the rule, another packet capture without the rule, and show us both captures. Or look at them yourself and see if you can figure it out.
  
  – Parthian Shot
  Mar 9 '16 at 16:08
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Incidentally, you don't need the NEW,ESTABLISHED part later on. You can just use NEW for each of those, packets associated with an ESTABLISHED connection would already have been accepted by that point.
  
  – Parthian Shot
  Mar 9 '16 at 16:09
  

  
  
  
  

add a comment | 

I've tried reading many articles on the internet but none of them are quite clear. I also know similar question has been posted here before but none of them explain my situation. Earlier I ended up wasting 2-3 hours because of this.

Manual says:

NEW -- meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and

ESTABLISHED -- meaning that the packet is associated with a connection which has seen packets in both directions,

RELATED -- meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.

My iptables on Server look like:

iptables -P FORWARD ACCEPT

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT



# Flush old rules

    iptables -F



# Loopback

    iptables -I INPUT 1 -i lo -j ACCEPT



# Allow responses from OUTPUT connection

    iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT



# Apache

    iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

    iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT



iptables -P FORWARD DROP

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

Whenever I try curl --verbose https://server_ip/ from my PC, it works perfectly. But when I tried this from inside the server after SSHing into it, it always stuck at CLIENT HELLO. Why it is happening? Note: curl --verbose http://server_ip/(without SSL) worked perfectly from both local PC and server.

After I executed iptables -A INPUT -m state --state RELATED -j ACCEPT, it started working from inside the server too. Again why it started working?

Manual says RELATED -- meaning that the packet is starting a new connection. Is it a security risk? Can a client open a connection to a different port using this? When it is useful?

ubuntu iptables firewall connection

share|improve this question

edited Mar 9 '16 at 15:02

VarunAgw

asked Mar 9 '16 at 10:57

VarunAgwVarunAgw

18717

iptables -P FORWARD ACCEPT

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT



# Flush old rules

    iptables -F



# Loopback

    iptables -I INPUT 1 -i lo -j ACCEPT



# Allow responses from OUTPUT connection

    iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT



# Apache

    iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

    iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT



iptables -P FORWARD DROP

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

share|improve this question

edited Mar 9 '16 at 15:02

VarunAgw

asked Mar 9 '16 at 10:57

VarunAgwVarunAgw

18717

share|improve this question

edited Mar 9 '16 at 15:02

VarunAgw

asked Mar 9 '16 at 10:57

VarunAgwVarunAgw

18717

asked Mar 9 '16 at 10:57

VarunAgwVarunAgw

18717

asked Mar 9 '16 at 10:57

VarunAgwVarunAgw

18717

1 Answer
1

active

oldest

votes

0

RELATED is useful for that kind of protocols that need to open a new connection. It is often used, in combination with ip_conntrack_ftp for ftp connections, take a look here on how active ftp works.

share|improve this answer

answered Mar 9 '16 at 15:17

sgargelsgargel

15514

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Okay, but how is that relevant to TLS?
  
  – Parthian Shot
  Mar 9 '16 at 16:31
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f762604%2fiptables-difference-between-related-and-established-state%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

RELATED is useful for that kind of protocols that need to open a new connection. It is often used, in combination with ip_conntrack_ftp for ftp connections, take a look here on how active ftp works.

share|improve this answer

answered Mar 9 '16 at 15:17

sgargelsgargel

15514

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Okay, but how is that relevant to TLS?
  
  – Parthian Shot
  Mar 9 '16 at 16:31
  

  
  
  
  

add a comment | 

0

RELATED is useful for that kind of protocols that need to open a new connection. It is often used, in combination with ip_conntrack_ftp for ftp connections, take a look here on how active ftp works.

share|improve this answer

answered Mar 9 '16 at 15:17

sgargelsgargel

15514

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Okay, but how is that relevant to TLS?
  
  – Parthian Shot
  Mar 9 '16 at 16:31
  

  
  
  
  

add a comment | 

RELATED is useful for that kind of protocols that need to open a new connection. It is often used, in combination with ip_conntrack_ftp for ftp connections, take a look here on how active ftp works.

share|improve this answer

answered Mar 9 '16 at 15:17

sgargelsgargel

15514

share|improve this answer

answered Mar 9 '16 at 15:17

sgargelsgargel

15514

answered Mar 9 '16 at 15:17

sgargelsgargel

15514

answered Mar 9 '16 at 15:17

sgargelsgargel

15514