James Thanks, I sent rule set to thread in another email. I don't have anything with ESTABLISHED or RELATED in it.
Chris On Sat, Jun 22, 2002 at 05:43:22PM -0400, James T. Moore wrote: > Chris, > > My guess would be that the firewall is allowing reponses to connections > that are already established, but its impossible to say for sure without > seeing the script used to create the firewall. > > Here is an example: > > $IPTABLES -A FORWARD -o $INET_IFACE -d $DNS_SERV1 -s $PRIV_LAN -p > udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT > > $IPTABLES -A FORWARD -i $INET_IFACE -s $DNS_SERV1 -d $PRIV_LAN -p > udp --sport 53 -m state --state ESTABLISHED -j ACCEPT > > > The first rule allows the clients on the private LAN to query the dns > server. These packets can be part of a new or established connection so the > clients can create new connections to connect to the DNS server. > > The second rule allows the DNS server to respond to the clients' request. > These packets can only be part of an established connection so the DNS > server (or any other host) can not create a new connection into the private > LAN unless there are other rules to allow it. > > > J.T. > > > > > >Date: Sat, 22 Jun 2002 10:30:55 -0700 > >From: Christian Seberino <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: how is this stuff getting thru default deny iptables firewall?.... > > > >My firewall *only* forwards SSH stuff to private LAN. > > > >It forwards *everything* _from_ private LAN to Internet however. > > > >How can the private LAN use DNS which it does???? > > > >How is DNS server returning the info thru firewall > >if it *only* allows SSH??!?!?!? > > > >Chris -- _______________________________________ Dr. Christian Seberino SPAWAR Systems Center San Diego Code 2363 53560 Hull Street San Diego, CA 92152-5001 U.S.A. Phone: (619) 553-7940 Fax: (619) 553-2836 Email: [EMAIL PROTECTED] _______________________________________
