[Cialug] IPTables Concept

Chris K. lister at kulish.com
Tue Oct 31 20:56:23 CST 2006


hehe, thanks Dave :)  And thanks to you as well Jeff.  Your version did 
the same thing (I think) as mine.  Just a cleaner line.
Just need one "-m state" line per chain and that covers all the return 
traffic on that chain resulting from an allowed connection, right?

Dave Weis wrote:
> Chris K. wrote:
>> I am probably just being dense this evening, but are you saying that 
>> I shouldn't need the input -m state at all, and that it should just 
>> work because the connection out is established?
>
> You'll need the first one to match ESTABLISHED and RELATED, but after 
> that, yes, you are being dense :-)
>
>> Dave Weis wrote:
>>>
>>> On Tue, 31 Oct 2006, Chris K. wrote:
>>>> Something like this for the smtp access?
>>>> /sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 25 -d 
>>>> $OURSMTP -j ACCEPT
>>>> /sbin/iptables -A INPUT -i $OURIF -p tcp -d $OURIP -m state --state 
>>>> ESTABLISHED -s $OURSMTP -j ACCEPT
>>>>
>>>> Thanks much!  (and Ive trimmed the email down a bit)
>>>> Dave Weis wrote:
>>>>
>>>> Second line should be unnecessary with the state matching done. As 
>>>> written the SMTP server could send you unwanted traffic if it's 
>>>> taken over by setting the source port outbound to be 25.
>>>
>>> With the -m state that we trimmed out from the first one you should 
>>> get this automagically. If it doesn't work it might be a syntax 
>>> problem.
>>>
>>
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
>



More information about the Cialug mailing list