# [solved] iptables and RELATED,ESTABLISHED rule

## FoolMonty

hello to anyone that may help

Looking at the output from  *Quote:*   

> iptables -L -v -n --line-numbers

  immediately after booting I notice that the rule 

 *Quote:*   

> iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

 

shows an ever increasing amount of pkts and bytes, the latter reaching megabytes in size, BEFORE any manual connection to anything or anywhere is made.

Is this normal for a workstation with minimal services running?Last edited by FoolMonty on Mon Oct 07, 2013 3:08 pm; edited 1 time in total

----------

## papahuhn

Probably loopback.

----------

## FoolMonty

 *Quote:*   

>  pkts bytes target     prot opt in     out     source               destination         
> 
>  265K  347M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
> 
>  3362  170K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   

 huge disparity between the two.    :Shocked: 

Could it be that the RELATED,ESTABLISHED rule is showing cumulative transfer since the rule was saved to iptables?  If so, any way to clear that cache to see what is passing in/out of the workstation after a reboot, short of deleting and adding again the rule?

As far as the loopback rule, is it ok to leave the source and destinations like that or should it be restricted to localhost for both?

----------

## netixen

Hi,

You can zero the counters by doing

```
iptables -Z
```

The loopback rule is fine.

----------

## FoolMonty

Thank you, netixen, on both

 :Cool: 

----------

## Hu

I suggest moving the lo rule up to before the state tracking rule.  Interface checks should be cheaper, and will then allow you to use the state tracking rule to see what is moving across real NICs.

----------

## FoolMonty

 *Quote:*   

> I suggest moving the lo rule up 

 

Done.  Thanks, Hu.  Will keep an eye on it to see how this evolves.

Hu (or anyone else).  Seems you know about security issues from your understanding of iptables.  I would be interested in your opinion on this:  looking at the net-analyzer packages in gentoo is really overwhelming for a beginner... at the time of this post there are about 267 different packages, of which more than half lack any metadata to help make a decision.   Do you have some recommendations on which programs to explore to run some security auditing on the workstation and the LAN it is attached to?  This would help not only me but many who might read this post in the future.

Thanking you in advance

FM

----------

## Hu

What kind of security auditing do you want?  If you need to see what is listening, you can use ss if you have login access or nmap if you do not.  Using nmap to scan a system without the approval of its owner is considered rude, and may prompt the owner to cause trouble, especially if you live in a jurisdiction with badly written "anti-hacking" laws.  If you want to know details about a program listening on a particular port, nmap can give you some initial guesses, but you need a more specific tool to explore in detail.  Generally, the more detail you try to extract from a system, the greater the chance that its operator may decide to interpret your probes as a precursor to malicious activity.

----------

## FoolMonty

Hello Hu

Nothing like that, Hu.  I have no interest in using any of these tools on a system outside of my home LAN, other than maybe a ping on www.google.com to check the connectivity of my nic.  Of course if I was a wannabe hacker I would probably say the same, but in this case it is true.

I use nmap -v  and netstat -antp and everything on surface looks OK, but nmap states it is probing some 1600 ports and apparently there are 2^16th ports on a system so I keep asking myself if the remaining ~65000 ports are all closed too...and, why the heck are there so many ports!?   :Shocked: 

In short, what I am looking for is a program that would simulate an attack on my own system to verify that the system is protected from the casual hacker - not a professional one, as apparently there is little one can do to protect from those short of disconnecting the pc from the net, however, there is nothing on the pc that would interest these latter.  Are programs like snort or the old open source version of nessus the type of program I should be exploring? How about the open source branch of nessus?  of the 267 programs in the net-analyzer tree of gentoo, what do the people in the know use?

I fella like me with less than a handful of posts in the forum probably would be ignored if I tried to open a post about security tools like the "show us your make.conf"  that could be made into a sticky in this section of the forum, but it certainly would be nice if there was such a post with recommendations from expert users to help the uninitiated in this long but very worthwhile path.  Too many options can be as difficult as a lack of them without some guidance to point people in the right direction.  Just thinking out loud...

Anywho, thank you Hu for all the help you have given me these last two week.   I owe you.

----------

## FoolMonty

Sadly the experts on security of the gentoo community, the members of which are worthy of considerable respect if not outright admiration for their knowledge, do not wish to share much on this issue.  For those starting on their linux path who might read this post in the future I offer this link

 *Quote:*   

> http://sectools.org/

 

Best to all

----------

## PaulBredbury

 *FoolMonty wrote:*   

> do not wish to share much on this issue

 

Ahem. To increase the chance of getting helpful replies, ask some intelligent/interesting questions that can't already be answered by a bit of googling  :Wink: 

----------

## Hu

Netstat will tell you which ports are open and which are not.  2^16 made sense for the test protocol, but it would have been nice to see it raised a bit in later revisions.  Security analysis is far too broad a topic to address in a single forum post.

----------

## FoolMonty

PaulBredbury, you are partially correct.  Your answer assumes information gathered from Google is correct and/or impartial, and both are a huge leap of faith.  Your answer is akin to saying, you don't need an university professor to help you get a PhD, as all the information is in the library already.  Those with limited knowledge on a subject need some guidance from those with expertise on that subject to point them in the right direction, to prune the bad from the good and avoid heading in the wrong path.  You have to trust someone, always, and in this case I trust the opinions of those who frequent this forum.  Don't take this comment as an offense, for it is not.  I am just explaining why people at my level sometimes need a little more than "read the man page" or "try google".  For example, there are many pages which can probe your network looking for security issues, but someone new to the topic would not know which remote site to trust, where someone with experience in these things would likely known which of the available resources are well respected by the community and trustworthy.  etc.

Hu, thanks for the reply.  I was not sure if Netstat would in fact probe all the ports that have services listening or if it simply was limited to scanning the ~1600 ports it stated in the report, given there are 2^16th total ports.  Goes to show how little I still know about these things, as maybe a port without a service listening is by definition "closed" and does not need to be probed at all.

Well, back to the "man pages" and google...   :Wink: 

Best to both

----------

## Hu

A port is listening if a service is accepting connections there.  A port is in use if there is an open socket associated with it.  Netstat can list both types, depending on the exact options.  Netstat does not probe the ports, but instead asks the kernel to provide a list of relevant sockets.

----------

## FoolMonty

Thank you, Hu

Learning about sockets now.  Now I know a little more about how netstat works, thanks to you.

Best (and thank you, again)

----------

