netfilter state matcch ESTABLISHED does not work(?)

Tue, 12 Mar 2002 04:30:38 -0800 

Hy,
perhaps I need to explain my problem in more detail. If I use the 
statement below

iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -p tcp 
--source-port 1025:65500
    --destination-port 1025:65500  -m state --state ESTABLISHED,RELATED 
-s $LAN -j ACCEPT

to prevent any NEW connections at those ports it does NOT work. I also 
observe NEW connections being accepted (the default policy for this 
chain is DROP). If I allow only related connections, there are no 
ftp-data connections in passive mode, that is those ports are blocked 
although the ftp-data connection is RELATED!  So this does not seem to 
work at all!
Below is a status report of iptables

346      1    48 ACCEPT     tcp  --  eth1   eth0    192.168.0.0/24 
0.0.0.0/0 tcp spts:1024:65535 spts:1024:65535 state RELATED,ESTABLISHED

347      0     0 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0            
192.168.0.0/24     tcp spts:1024:65535 dpts:1024:65535 state 
RELATED,ESTABLISHED

This one lets everything at those ports through! In 
/proc/net/ip_conntrack the entries concerning my PC (192.168.0.130),  
which tries to connect to a limewire-server are listed below

tcp      6 431997 ESTABLISHED src=192.168.0.254 dst=192.168.0.130 
sport=32793 dport=6000 src=192.168.0.130 dst=192.168.0.254 sport=6000 
dport=32793 [ASSURED] use=1

tcp      6 431997 ESTABLISHED src=192.168.0.254 dst=192.168.0.130 
sport=32794 dport=6000 src=192.168.0.130 dst=192.168.0.254 sport=6000 
dport=32794 [ASSURED] use=1

tcp      6 428722 ESTABLISHED src=192.168.0.130 dst=212.19.48.103 
sport=54191 dport=22 src=212.19.48.103 dst=212.19.47.251 sport=22 
dport=54191 [ASSURED] use=1

tcp      6 430964 ESTABLISHED src=192.168.0.130 dst=192.168.254.2 
sport=43033 dport=22 src=192.168.254.2 dst=212.19.47.251 sport=22 
dport=43033 [ASSURED] use=1

tcp      6 431999 ESTABLISHED src=192.168.0.130 dst=192.168.0.254 
sport=43035 dport=22 src=192.168.0.254 dst=192.168.0.130 sport=22 
dport=43035 [ASSURED] use=1

tcp      6 431997 ESTABLISHED src=192.168.0.130 dst=65.29.150.4 
sport=58530 dport=6346 src=65.29.150.4 dst=212.19.47.251 sport=6346 
dport=58530 [ASSURED] use=1

So this connections is established although there are no other/previous 
connections to this server or related ones!!
Help?
Greetings Michael

Reply via email to