# Gentoo Wiki - IPTables

## Xander314

I wanted to set up a firewall before going to university, so I followed the Gentoo Wiki's IPTables article as a starting point. The default policy for INPUT is set to DROP. Then the following two rules are applied:

```

iptables -A INPUT -i eth0 -p tcp --sport 80 --syn -m conntrack --ctstate --state NEW                 -j ACCEPT

iptables -A INPUT                                 -m conntrack --ctstate --state ESTABLISHED,RELATED -j ACCEPT

```

I understand that the second line only allows packets associated with established connections, which I assume are established via outgoing connections. 

I am not sure what the first line does. It appears to allow standard HTTP connections in, but I can browse the web just fine without it. As I understand it, when browsing the web, my browser creates an outgoing connection (which is allowed by default) and then the resulting returned connection is also allowed as it is related to the existing connection (state RELATED or ESTABLISHED). Given that, why is the first line necessary at all?

----------

## Ant P.

The first line is an example rule for running a local webserver.

----------

## Xander314

Thanks for the info. I'll just use the other line then.

----------

## olek

I can really recommend one of Archs articles here:

https://wiki.archlinux.org/index.php/Simple_stateful_firewall

----------

## Hu

 *Ant P. wrote:*   

> The first line is an example rule for running a local webserver.

 It is worse than that.  You would be correct if the author had used --dport, but since he used --sport, this means that any unsolicited connection with a source port of 80 is permitted.  This may have been a very ill conceived attempt to permit web browsing, but it would be wrong even for that purpose.

----------

## Xander314

 *Hu wrote:*   

>  *Ant P. wrote:*   The first line is an example rule for running a local webserver. It is worse than that.  You would be correct if the author had used --dport, but since he used --sport, this means that any unsolicited connection with a source port of 80 is permitted.  This may have been a very ill conceived attempt to permit web browsing, but it would be wrong even for that purpose.

 

That is good to know.  If the wiki article is unreliable, I'd like to check if the second line, 

```
 iptables -A -m conntrack --ctstate --state ESTABLISHED,RELATED -j ACCEPT

```

is okay too -  it looks okay to me but I'm new to this networking stuff. Is this rule the best (most secure) way of allowing web browsing?

 *olek wrote:*   

> I can really recommend one of Archs articles here: 
> 
> https://wiki.archlinux.org/index.php/Simple_stateful_firewall

 

Thanks -  I'll read that in the  morning when I'm less tired  :Wink: 

----------

## olek

Yes,

```
iptables -A -m conntrack --ctstate --state ESTABLISHED,RELATED -j ACCEPT 
```

is perfectly fine and considered the best way to go AFAIK.

----------

## PaulBredbury

 *Hu wrote:*   

> it would be wrong

 

Yeah. I've fixed the wiki entry.

----------

