Andrey Kozlov wrote: > Hello, > > with use connection tracking you can define common rules for ongoing > traffic on top of you rule set: > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > and then add specific rules for any required services, e.g.: > > iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \ > -d pop.mail.yahoo.co.uk --dport 110 -m state --state NEW -j ACCEPT > > iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \ > -d pop.1and1.fr --dport 110 -m state --state NEW -j ACCEPT > So it means, I accept both 'established' and 'related' connections from/to any ports. Then, I allow 'new' connections to port 110 (for pop.1and1.fr and pop.mail.yahoo.co.uk). In the end, 'established' or 'related' connections from/to port 4895, for instance, will be accept, as well. Unless I am wrong, it is not really interesting in the case I have got a mistake in my firewall, and accept 'new' connections from/to port 4895. I allow more than I should without any reason.
Is that right ? > -- > Regards, > Kozlov Andrey. > > >> I have got some iptables rules suche as : >> >> Code: >> >> iptables -A OUTPUT -o eth0 -p tcp -d pop.mail.yahoo.co.uk >> --dport 110 --sport $UNPRIVPORTS -m state --state >> NEW,ESTABLISHED,RELATED -j ACCEPT >> iptables -A OUTPUT -o eth0 -p tcp -d pop.1and1.fr --dport 110 >> --sport $UNPRIVPORTS -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT >> iptables -A INPUT -i eth0 -p tcp -s pop.mail.yahoo.co.uk --sport >> 110 --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j ACCEPT >> iptables -A INPUT -i eth0 -p tcp -s pop.1and1.fr --sport 110 >> --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j ACCEPT >> >> >> and I would like to put them on only two lines. I glanced at the man >> page but I have not found anything of interest. >> >> Is that possible ? >> > > -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE ___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
