[Cialug] IPTables Concept
Chris K.
lister at kulish.com
Tue Oct 31 20:56:23 CST 2006
hehe, thanks Dave :) And thanks to you as well Jeff. Your version did
the same thing (I think) as mine. Just a cleaner line.
Just need one "-m state" line per chain and that covers all the return
traffic on that chain resulting from an allowed connection, right?
Dave Weis wrote:
> Chris K. wrote:
>> I am probably just being dense this evening, but are you saying that
>> I shouldn't need the input -m state at all, and that it should just
>> work because the connection out is established?
>
> You'll need the first one to match ESTABLISHED and RELATED, but after
> that, yes, you are being dense :-)
>
>> Dave Weis wrote:
>>>
>>> On Tue, 31 Oct 2006, Chris K. wrote:
>>>> Something like this for the smtp access?
>>>> /sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 25 -d
>>>> $OURSMTP -j ACCEPT
>>>> /sbin/iptables -A INPUT -i $OURIF -p tcp -d $OURIP -m state --state
>>>> ESTABLISHED -s $OURSMTP -j ACCEPT
>>>>
>>>> Thanks much! (and Ive trimmed the email down a bit)
>>>> Dave Weis wrote:
>>>>
>>>> Second line should be unnecessary with the state matching done. As
>>>> written the SMTP server could send you unwanted traffic if it's
>>>> taken over by setting the source port outbound to be 25.
>>>
>>> With the -m state that we trimmed out from the first one you should
>>> get this automagically. If it doesn't work it might be a syntax
>>> problem.
>>>
>>
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
>
More information about the Cialug
mailing list