On 2/19/07, Alvin Chang <alvin.chang@xxxxxxxxx> wrote:
instaed of CAPITALS, I used simple letters as below.
iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state established,related -j ACCEPT
But I can not use -A INPUT as -a input, then it does not work.
Anyway, I would like to get more help as to this.
I want to know that does "-m state --state established,related -j ACCEPT" work for all tcp,udp and icmp protoclos ? or only for tcp. (for tcp. it works)
I am testing below rule. It is udp.
iptables -A OUTPUT -p udp -o eth0 --dport 53 -m state --state NEW -j ACCEPT
when I have below rule for the above, it works. If I remove it, it will not. WHY?
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
pls note that I have already added below rule
iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state established,related -j ACCEPT
Before you ask anything about IPtables, print out the results from
pls see below
[root@firebox rc.d]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere firebox.itabspl.com state RELATED,ESTABLISHED
ACCEPT all -- localhost.localdomain localhost.localdomain
ACCEPT tcp -- anywhere firebox.itabspl.com tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.102.253 tcp dpt:ssh
ACCEPT icmp -- firebox.itabspl.com anywhere
ACCEPT icmp -- 192.168.102.0/24 192.168.102.253
ACCEPT icmp -- 66.94.234.13 anywhere
ACCEPT icmp -- 64.233.189.104 anywhere
ACCEPT icmp -- 203.143.4.1 anywhere
ACCEPT udp -- anywhere anywhere udp spts:traceroute:33523
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp type 30
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.102.0/24 anywhere udp dpt:domain
ACCEPT udp -- anywhere 192.168.102.0/24 udp spt:domain
ACCEPT udp -- 192.168.100.3 anywhere udp dpt:domain
ACCEPT udp -- anywhere 192.168.100.3 udp spt:domain
ACCEPT tcp -- 192.168.102.25 anywhere multiport dports ssh,smtp,domain,http,https,pop3,imap
ACCEPT tcp -- 192.168.102.0/24 anywhere multiport dports http,https
ACCEPT tcp -- 192.168.100.3 anywhere multiport dports smtp,http,https
ACCEPT icmp -- 192.168.102.25 64.233.189.104
ACCEPT icmp -- 64.233.189.104 192.168.102.25
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- localhost.localdomain localhost.localdomain
ACCEPT tcp -- firebox.itabspl.com anywhere tcp dpt:ssh
ACCEPT udp -- firebox.itabspl.com anywhere udp dpt:domain state NEW
ACCEPT tcp -- firebox.itabspl.com anywhere tcp dpt:domain
ACCEPT tcp -- firebox.itabspl.com anywhere tcp spt:ssh
ACCEPT tcp -- 192.168.100.253 anywhere tcp spt:ssh
ACCEPT tcp -- 192.168.102.253 anywhere tcp spt:ssh
ACCEPT icmp -- anywhere firebox.itabspl.com
ACCEPT icmp -- 192.168.102.253 192.168.102.0/24
ACCEPT icmp -- anywhere 66.94.234.13
ACCEPT icmp -- anywhere 64.233.189.104
ACCEPT udp -- anywhere anywhere udp dpts:traceroute:33523
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp type 30
ACCEPT icmp -- anywhere 203.143.4.1
On 19/02/07, Indunil Jayasooriya <indunil75@xxxxxxxxx> wrote:
> WHY?
STOP USING CAPITLS, IT'S CONSIDERED SHOTING!
instaed of CAPITALS, I used simple letters as below.
iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state established,related -j ACCEPT
But I can not use -A INPUT as -a input, then it does not work.
Anyway, I would like to get more help as to this.
I want to know that does "-m state --state established,related -j ACCEPT" work for all tcp,udp and icmp protoclos ? or only for tcp. (for tcp. it works)
I am testing below rule. It is udp.
iptables -A OUTPUT -p udp -o eth0 --dport 53 -m state --state NEW -j ACCEPT
when I have below rule for the above, it works. If I remove it, it will not. WHY?
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
pls note that I have already added below rule
iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state established,related -j ACCEPT
Before you ask anything about IPtables, print out the results from
iptables -L. It could very well be that the order of your rules are
MESSED UP!
pls see below
[root@firebox rc.d]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere firebox.itabspl.com state RELATED,ESTABLISHED
ACCEPT all -- localhost.localdomain localhost.localdomain
ACCEPT tcp -- anywhere firebox.itabspl.com tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.102.253 tcp dpt:ssh
ACCEPT icmp -- firebox.itabspl.com anywhere
ACCEPT icmp -- 192.168.102.0/24 192.168.102.253
ACCEPT icmp -- 66.94.234.13 anywhere
ACCEPT icmp -- 64.233.189.104 anywhere
ACCEPT icmp -- 203.143.4.1 anywhere
ACCEPT udp -- anywhere anywhere udp spts:traceroute:33523
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp type 30
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.102.0/24 anywhere udp dpt:domain
ACCEPT udp -- anywhere 192.168.102.0/24 udp spt:domain
ACCEPT udp -- 192.168.100.3 anywhere udp dpt:domain
ACCEPT udp -- anywhere 192.168.100.3 udp spt:domain
ACCEPT tcp -- 192.168.102.25 anywhere multiport dports ssh,smtp,domain,http,https,pop3,imap
ACCEPT tcp -- 192.168.102.0/24 anywhere multiport dports http,https
ACCEPT tcp -- 192.168.100.3 anywhere multiport dports smtp,http,https
ACCEPT icmp -- 192.168.102.25 64.233.189.104
ACCEPT icmp -- 64.233.189.104 192.168.102.25
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- localhost.localdomain localhost.localdomain
ACCEPT tcp -- firebox.itabspl.com anywhere tcp dpt:ssh
ACCEPT udp -- firebox.itabspl.com anywhere udp dpt:domain state NEW
ACCEPT tcp -- firebox.itabspl.com anywhere tcp dpt:domain
ACCEPT tcp -- firebox.itabspl.com anywhere tcp spt:ssh
ACCEPT tcp -- 192.168.100.253 anywhere tcp spt:ssh
ACCEPT tcp -- 192.168.102.253 anywhere tcp spt:ssh
ACCEPT icmp -- anywhere firebox.itabspl.com
ACCEPT icmp -- 192.168.102.253 192.168.102.0/24
ACCEPT icmp -- anywhere 66.94.234.13
ACCEPT icmp -- anywhere 64.233.189.104
ACCEPT udp -- anywhere anywhere udp dpts:traceroute:33523
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp type 30
ACCEPT icmp -- anywhere 203.143.4.1
--
Alvin Chang Yu-Ming
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
--
Thank you
Indunil Jayasooriya
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
