RE: NAT & MySQL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yeah you are correct Jeff.  Don't know what I was thinking. Maybe that's the
problem: I wasn't.

-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jeffrey Laramie
Sent: Tuesday, November 25, 2003 1:25 PM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: NAT & MySQL

Mark E. Donaldson wrote:

> The ACK packets you see in your dump are probably being dropped at the 
> firewall because a state table entry does not exist.  So you need to 
> add a NEW rule to do this:
>  
> iptables -A FORWARD -i ppp0 -o eth0 -m state --state NEW -j ACCEPT
>  
> this rule will then allow your ESTABLISHED,RELATED rule to work and 
> permit those ACK packets to pass.
>
>

Hi Mark,

I'm not sure I understand what this rule does for him. Only the first packet
from the web client would be NEW and based on his FORWARD rules that's been
accepted and the dump shows it went through (although I'd still like to see
his SNAT rule). Your rule would open his mysql server to any NEW packet. Are
you saying that the RELATED ACK packets won't go through unless the first
packet is matched with a NEW state and makes an entry in the state table?

Jeff






[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux