On Mon, 15 Sep 2003 09:56:22 +0200, Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx> wrote in message <1063612582.928.17.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>: > Le sam 13/09/2003 à 08:42, Arnt Karlsen a écrit : > > ..wrong snippet. ;-) Reread the thread, and you'll see both I > > and Cedric weren't to clear on that we meant to say, we _implied_ > > things instead of actually _saying_ them > > So, for the things to get clear, the whole script should be[1] : > > > $IPTABLES -P FORWARD DROP > $IPTABLES -P INPUT DROP > > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \ > -m tcp --dport 53 -j ACCEPT > $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p udp \ > -m tcp --dport 53 -j ACCEPT > $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp > \ -m tcp --dport 80 -j ACCEPT > $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp > \ -m tcp --dport 110 -j ACCEPT > > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > echo "1" > /proc/sys/net/ipv4/ip_forward > > > A -m state --state NEW,ESTABLISHED,RELATED _should not_ be used, as > it's an quasi-generic full match (i.e. nearly matches all packets). > > > [1] Note I did a typo in my > <1063363533.879.52.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> post, > it's FORWARD, not INPUT... ..me too, ;-) I ofcourse meant we "weren't too clear on what we meant to say"... ;-) -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case.
