On Friday 07 November 2003 1:34 pm, David C. Hart wrote:
> On Fri, 2003-11-07 at 07:26, Ted Kaczmarek wrote:
> > I would add an input established on that as well, makes it easier to do
> > upgrades.
> >
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Hi Ted:
>
> If you have a moment, could you please explain (for the comparative IPT
> nitwits - including me) what that does?
Any packet which arrives at the machine running netfilter (because this rule
is in the INPUT chain - if it were in the FORWARD chain then it would apply
to any packet being routed through the machine running netfilter) which is
part of an ESTABLISHED connection, or which is RELATED to and ESTABLISHED
connection, is ACCEPTed.
What defines a connection as ESTABLISHED?
Basically, "is there an entry for it in the connection tracking table?"
Entries get placed in this table when the first packet of a connection gets
seen (this will only happen if you have an OUTPUT rule, or a FORWARD rule,
allowing that first packet to be ACCEPTed). After that, the reply and all
other packets which are part of the same connection (which is defined by the
source & destination IP plus the source & destination port numbers) will get
matched by the rule above, no matter which other rule matched the first
packet.
What defines a packet as RELATED?
Either, is it known to a connection tracking helper for a specific protocol
which uses multiple connections (such as FTP), or, is it an ICMP packet in
response to another packet, indicating a problem somewhere.
HTH
Antony.
--
If books were designed by Microsoft, the Anarchist's Cookbook would explode
when you read it.
- Mark W Schumann
Please reply to the list;
please don't CC me.
