I cannot add this rules with --syn, because iptables tell me error : bad argument '--syn'. If write this rules without --syn argument , the iptables rules applying success.If I write rules with chain NEW but without --syn argument , are the my packet filter will be accept(or forward) new packet without --syn ? > Le sam 06/09/2003 ? 12:53, Владимир Потапов a ?crit : > > And which chain a need yo add to ruleset? > > Just rewrite your ruleset as follow : > > # nat table > -A PREROUTING -t nat -d 121.1.1.1 -i eth0 -p tcp -j DNAT \ > --to-destination 192.168.5.2 > -A PREROUTING -t nat -d 121.1.1.1 -i eth0 -p udp -j DNAT \ > --to-destination 192.168.5.2 > -A POSTROUTING -t nat -o eth0 -j SNAT --to-source 121.1.1.1 > > # filter table > -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state \ > --state NEW -p tcp -m tcp --dport 53 --syn -j ACCEPT > -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state \ > --state NEW -p udp -m udp --dport 53 -j ACCEPT > -A FORWARD -s 192.168.5.0/255.255.255.0 -i eth1 -o eth0 -m state \ > --state NEW -p tcp -m tcp --dport 53 --syn -j allow > -A FORWARD -s 192.168.5.0/255.255.255.0 -i eth1 -o eth0 -m state \ > --state NEW -p udp -m udp --dport 53 -j ACCEPT > > It should provide the same filtering functionnalities you wanted, plus > returning packets accept through ESTABLISHED,RELATED rule. If you really > want to restrict it to TCP and UDP only, just replace this rule with two > more specific ones : > > -A FORWARD -m state --state ESTABLISHED,RELATED -p udp -j ACCEPT > -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp -j ACCEPT > > I removed rules that seems redundant, in particular your TCP flags check > rule that was replaced with --syn switch addition. I also restricted > inbound DNS filtering to 192.168.5.2 only. > > Hope this helps. > > -- > http://www.netexit.com/~sid/ > PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE > >
