Thanks for all the help.
So let me see if I've gotten this right this time.
Suppose there are two network cards on my bridge/firewall.
eth0 connects to the outside,
eth1 connects to the inside.
And I write my table as:
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A -i eth1 -o eth0 -j ACCEPT
iptables -A -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
Then, I have a simple setup, where
1) my inside users can do anything, including active ftp
2) and nothing initiated from the outside (except for ftp data
connection and some ICMP packets) is allowed. ( even e-mail
can't come in )
Correct?
I'll just memorize that "ESTABLISHED" requires "RELATED".
What about the other way around?
Does "RELATED" need "ESTABLISHED"?
What happens with the following setting ?
(I don't have a machine I can test with right now)
This would be a silly setting, but I want to be sure I understand
everything.
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A -i eth1 -o eth0 -j ACCEPT
iptables -A -i eth0 -o eth1 -p tcp ! --syn --sport 1024: --dport 1024:
-j ACCEPT
iptables -A -i eth0 -o eth1 -p tcp -m state --state RELATED -j ACCEPT
iptables -A -i eth0 -o eth1 -p tcp ! --syn --sport ftp-data --dport
1024: -j ACCEPT
Notice that I don't have "ESTABLISHED" in the 5-th line.
Then I would guess that
line 4 allows passive ftp,
line 5 allows the syn packet for active ftp, and
line 6 allows the rest of active ftp to continue.
Is line 6 unneccessary?
Does "RELATED" match related "new" connections,
or all subsequent packets in the (established) related connection?
Jin Hong
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
