On Tuesday 26 November 2002 05:54 am, Iva "Cabric" Cabric wrote: > Since mailman is blocking me here is reply again... > > On Sun, Nov 24, 2002 at 07:45:38PM -0500, Joel Newkirk wrote: > > > $ iptables -A ssh -j ULOG -p tcp -m state --state NEW > > > > > > reports: > > > > > > iptables v1.2.6a: You must specify `--state' > > > Try `iptables -h' or 'iptables --help' for more information. > > > > > > but using DROP works fine: > > > > > > $ iptables -A ssh -j DROP -p tcp -m state --state NEW > > > > Does the ULOG target work in other uses, IE "iptables -A FORWARD -j U= LOG" > > ? > > Nope, it gives same error: > > $ iptables -A FORWARD -j ULOG -p tcp -m state --state NEW > iptables v1.2.6a: You must specify `--state' > > with INPUT and OUTPUT, also same thing. I'm not doing anything special > (like NAT, conntrack, ftp, ...), just plain INPUT filtering. Well, did you try the example I asked about? I suspect not, because the=20 problem here seems to be that "-j ULOG" should be AFTER the state matchin= g=20 part of the rule... If I enter the line you used, I get the same '--stat= e'=20 error, but if I put the target after the match (or remove the match, as p= er=20 my debugging suggestion above) it does NOT. j
