On Sun, 12 Oct 2003 20:54:00 +0200 Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx> wrote: > Not working for SSH. > > In fact, it should work. A TCP SYN flaged as NEW will be sent to > CH_SSH chain, then be accepted by CH_SSH rule that allows NEW packets. > Then further packets are going by. They are ESTABLISHED. > > They match first rule so they are sent to CH_SSH chain. They do not > match the rule, for thieses packets are not NEW. So they hit end of > user chain and are returned to FORWARD chain, rule 2. They match rule > 2 and then get accepted. Yes, sorry, you're right, but I forgot to mention that I have a cleanup rule at the end of the CH_SSH: $IPT -A CH_SSH -j DROP > If it does not work as your's, then you have a drop all rule at the > end of CH_SSH chain (I suppose) that prevents packet from returning > from user chain (CH_SSH here) to calling chain (FORWARD here). You got it right ;-) > To me, the best way to handle this is : > > # ESTABLISHED and RELATED packets are accepted anyway > # We accept them first as they are most treated packets > $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > # Then we care of each proto. > $IPT -A FORWARD -p tcp --dport 22 -j CH_SSH > [...] > $IPT -A CH_SSH -m state --state NEW -s 1.2.3.4 -j ACCEPT > > Case 3 works because you enforce ESTABLISHED,RELATED accept in your > use chain. > > I really do think that 1st case is the best way to handle, as it > implies less rules evaluation for each packet. Ok, thanks a lot, it's much clearer now :) R. -- ___________________________________________________________________ Recursion: see recursion +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+
