We've now reached the point where we need to add some rules to our firewall so that it will accept at least some incoming packets.  There are two techniques we can use to do this.  One possibility is to use static rules, and the other option is to use more dynamic, stateful rules.

Let's investigate the static approach first.  Let's say we wanted to be able to download Web pages through our firewall.  To accomplish this task, we could add the following static rules to the INPUT and FORWARD chains:

# iptables -A INPUT --sport 80 -j ACCEPT
# iptables -A FORWARD --sport 80 -j ACCEPT

The "-A" option tells iptables to append the rule to the chain we specify, and using the "-j" option, we specify a target of ACCEPT, which causes the packet to be immediately accepted.  Immediately accepted, that is, if it happens to match our criteria.  As you can see, we also specify "--sport 80," which tells iptables to create a filtering rule that will only match those packets that originate from a TCP port of 80, which is the standard TCP port for HTTP traffic.

Adding these rules to our existing firewall allows us to browse the Web from behind our firewall, at least to some extent.  But unfortunately, this approach is not without its problems.  For one, some HTTP (Web) traffic doesn't originate from a source port of 80; often, a URL will look like this, indicating that the page is being served from port 8080 rather than 80:

http://www.gentoo.org:8080

Unfortunately, we'd need to add a completely new set of rules to allow this particular Web server to pierce our firewall.  If you happened to be the administrator of this firewall, using static rules could quickly create problems—you'd likely have a continuous stream of users visiting you to complain that they couldn't view a particular oddball Web site.  As you can see, while this solution might have seemed workable at first, it is really not a complete or robust solution for allowing HTTP traffic through a firewall.

And then there are the security implications.  Since these rules are static in nature, there's nothing to prevent a malicious person from instructing his hacking tools to use a source port of 80, thereby allowing his tools to penetrate our firewall with ease.  He'd then be able to establish a TCP connection with any of your potentially vulnerable internal services (such as NFS) and manipulate them to his heart's content.  Youch!