Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE Manual

Also see for ENTERPRISE LINUX 4 - DEVELOPER TOOLS GUIDE: Installation guide Installation guide Tuning guide Installation guide Manual

Contents

Chapter 7. Firewalls70these targets. However, to avoid user confusion and attempts to continue connecting, theREJECT target is recommended.7.6. iptables and Connection Trackingiptables includes a module that allows administrators to inspect and restrict connections to servicesavailable on an internal network using a method called connection tracking. Connection tracking storesconnections in a table, which allows administrators to allow or deny access based on the followingconnection states:• NEW — A packet requesting a new connection, such as an HTTP request.• ESTABLISHED — A packet that is part of an existing connection.• RELATED — A packet that is requesting a new connection but is part of an existing connection,such as passive FTP connections where the connection port is 20, but the transfer port can be anyunused port 1024 or higher.• INVALID — A packet that is not part of any connections in the connection tracking table.You can use the stateful functionality of iptables connection tracking with any network protocol,even if the protocol itself is stateless (such as UDP). The following example shows a rule that usesconnection tracking to forward only the packets that are associated with an established connection:iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT7.7. ip6tablesThe introduction of the next-generation Internet Protocol, called IPv6, expands beyond the 32-bitaddress limit of IPv4 (or IP). IPv6 supports 128-bit addresses and, as such, carrier networks that areIPv6 aware are able to address a larger number of routable addresses than IPv4.Red Hat Enterprise Linux supports IPv6 firewall rules using the Netfilter 6 subsystem and theip6tables command. The first step in using ip6tables is to start the ip6tables service. This canbe done with the command:service ip6tables startWarningThe iptables services must be turned off to use the ip6tables service exclusively:service iptables stopchkconfig iptables offTo make ip6tables start by default whenever the system is booted, change the runlevel status onthe service using chkconfig.