On Wed, 28 Feb 2001, Paul Wouters wrote: > I'd like to be able to deny all new connections to a firewall, with the > exception of port 22 (sshd) and some ports I'd like to forward internally. > However, it seems I can't make a rule that is using the state > AND a source/dest port in there. Eg the following won't work: > > iptables -A INPUT -i eth0 -m state --state NEW,INVALID --dport 22 -j DROP > iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP > iptables -A FORWARD -i eth0 -m state --state NEW,INVALID --dport 25 -j ACCEPT > iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP > > Anyone? :) iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,INVALID -j DROP iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i eth0 -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP --sport and --dport need the -p tcp or -p udp flags to be set, as source and destination ports may not make sense for certain protocols, most notably ICMP. Doei, Arthur. -- /\ / | arthurvl@xxxxxxxxxx | Work like you don't need the money /__\ / | A friend is someone with whom | Love like you have never been hurt / \/__ | you can dare to be yourself | Dance like there's nobody watching
