On 10 Dec 2002, Raymond Leach wrote: > Yes, you do. Port 20 (and/or any other) connections after the control > connection are not 'RELATED, ESTABLISHED' to the control connection. > They are new connections either from the client to the server or vice > versa. You therefore need seperate rules for them. If we are speaking about the data channels of the supported protocols (FTP, IRC and all the other protocols from p-o-m), then this is absolutely false. > Remember connection tracking happens at a pakcet level, i.e all states > relate to packets of a connection, not per protocol. In the case of the supported protocols with additional channels, again, untrue. Please do no spread false info! Why would then the RELATED state exist? > > However, I'm not sure if it's better to split them up into 2 rules : > > iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -m state --state > > NEW -j ACCEPT > > iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED > > -j ACCEPT Because the destination port of the data channels cannot be port 21, therefore you must use two rules. And because you specify the incoming/outgoing interfaces, you need a third rule for the reply packets as well. Regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
