> Hi, > > On Tue, 5 Jul 2005 15:52:20 +0200 (CEST) > "Patrick Marquetecken" <[EMAIL PROTECTED]> wrote: > >> If Im correct then iptables is statefull connection capable, this means >> I >> should not use rules like: >> If state of connection is ESTABLISHED ... >> If state of connection is RELATED ... >> >> and i my use only: >> If protocol is TCP and source is bla bla and destination port is bla bla >> and state of connection is NEW > > All of the mentioned rules are related to stateful connection matching. > You probably want all ESTABLISHED and RELATED traffic in both the > incoming and outgoing direction, and NEW connections only outgoing. > Additional you'll probably want NEW connections also in the incoming > direction for the services you want to offer - that's how I interpret > your last sentence. But you'll definately want ESTABLISHED and RELATED, > too. > > Concept usually is: > INPUT: > - allow ESTABLISHED,RELATED > - allow NEW for selected services > FORWARD: > - allow NEW,ESTABLISHED,RELATED from LAN to WAN > - allow ESTABLISHED,RELATED from WAN to LAN > OUTPUT: > - allow NEW,ESTABLISHED,RELATED > > where OUTPUT rules are optional if OUTPUT's policy is set to ACCEPT. > > Current connections being monitored are listed and accessible in procfs. > When playing with Linux as a router for UDP traffic, you may want to > play with the state matching related sysctl's (also accessible via > procfs) to adjust the timespan that the information is held. My VPN > connections from LAN to WAN tend to time out otherwise. But that's just > a side note. > > -hwh > > -- Thank you all, The explanation was very clear, I tough because its statefull its not necessary to add the ESTABLISHED,RELATED stuff. I was using a setup like you say above.
Patrick -- This is Unix-Land. In quiet nights, you can hear the Windows machines reboot. -- [email protected] mailing list
