Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
81828384858687888990
Chapter 2. Securing Your Network
80
ESTABLISHED — A packet that is part of an existing connection.
RELATED — A packet that is requesting a new connection but is part of an existing connection.
For example, FTP uses port 21 to establish a connection, but data is transferred on a different port
(typically port 20).
INVALID — A packet that is not part of any connections in the connection tracking table.
You can use the stateful functionality of iptables connection tracking with any network protocol,
even if the protocol itself is stateless (such as UDP). The following example shows a rule that uses
connection tracking to forward only the packets that are associated with an established connection:
[root@myServer ~ ] # iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
2.5.8. IPv6
The introduction of the next-generation Internet Protocol, called IPv6, expands beyond the 32-bit
address limit of IPv4 (or IP). IPv6 supports 128-bit addresses, and carrier networks that are IPv6
aware are therefore able to address a larger number of routable addresses than IPv4.
Red Hat Enterprise Linux supports IPv6 firewall rules using the Netfilter 6 subsystem and the
ip6tables command. In Red Hat Enterprise Linux 6, both IPv4 and IPv6 services are enabled by
default.
The ip6tables command syntax is identical to iptables in every aspect except that it supports
128-bit addresses. For example, use the following command to enable SSH connections on an IPv6-
aware network server:
[root@myServer ~ ] # ip6tables -A INPUT -i eth0 -p tcp -s 3ffe:ffff:100::1/128 --dport 22 -j
ACCEPT
For more information about IPv6 networking, refer to the IPv6 Information Page at http://
www.ipv6.org/.
2.5.9. Additional Resources
There are several aspects to firewalls and the Linux Netfilter subsystem that could not be covered in
this chapter. For more information, refer to the following resources.
2.5.9.1. Installed Firewall Documentation
Refer to Section 2.6, “IPTables” for more detailed information on the iptables command, including
definitions for many command options.
The iptables man page contains a brief summary of the various options.
2.5.9.2. Useful Firewall Websites
http://www.netfilter.org/ — The official homepage of the Netfilter and iptables project.
http://www.tldp.org/ — The Linux Documentation Project contains several useful guides relating to
firewall creation and administration.
http://www.iana.org/assignments/port-numbers — The official list of registered and common service
ports as assigned by the Internet Assigned Numbers Authority.