Grant Parnell wrote:
On Tue, 5 Apr 2005, Howard Lowndes wrote:
I've just upgraded a box (hardware & software) from RH 7.1 with an early 2.4.x kernel to FC3 with the latest 2.6.x kernel, but most of the config files I have brought over from the old box including the iptables rules sets, and it's these that are giving me grief.
The box acts as a gateway filter/router/NAT box.
Specifically the problem relates to a workstation behind the firewall trying to establish a tcp connection out onto the I'net.
The relevant iptable is one that ACCEPTs all TCP packets that are state ESTABLISHED,RELATED. Something like:
iptables -A chain_name -p TCP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
Shouldn't this be
iptables -A chain_name -m state --state ESTABLISHED,RELATED \
-j ACCEPT
Ie no mention of '-p TCP' (which should be '-p tcp' anyway - ie lower case). I guess ESTABLISHED pretty much only applies to TCP but I could be wrong (GRE?)
The protocol name is not case sensitive, unlike the chain name and the target name.
in or out, -p tcp makes no difference.
I know it works because it has worked in the old box for years, and is now continuing to work in the old box which is back on line whilst I try to fathom out the new box. The rule sets were an scp copy from one box to the other, so I guess the problem has to be something to do with either the new kernel or the updates iptables program and the way it or both handle established connections.
-- Howard. LANNet Computing Associates - Your Linux people <http://lannet.com.au> -- When you just want a system that works, you choose Linux; When you want a system that just works, you choose Microsoft. -- Flatter government, not fatter government; Get rid of the Australian states.
begin:vcard fn:Howard Lowndes n:Lowndes;Howard org:LANNet Computing Associates adr:;;PO Box 1174;Lavington;NSW;2641;Australia email;internet:howard [AT] lowndes [DOT] name tel;work:02 6040 0222 tel;fax:02 6040 0222 tel;cell:0419 464 430 note:I am heartily sick and tired of telemarketers, therefore I do not answer phone calls which do not present Caller Line Identification, they get flicked to voicemail. I apologise if this inconveniences you, and I respect your right to not identify yourself, but I also ask that you respect my right to not answer your call if you choose not to identify yourself. Try dialing 1832 (#32# from mobiles) before the number, to present Caller Line Identification. x-mozilla-html:FALSE url:http://www.lannet.com.au version:2.1 end:vcard
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
