> -----Original Message----- > From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx] > Sent: Wednesday, March 03, 2004 11:47 AM > To: Paul Harlow > Cc: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: FW: Allowing FTP and internal but nothing else > > > Le mer 03/03/2004 à 19:08, Paul Harlow a écrit : > > As I said I'm severly new to IPTables so it's all > expirementation now > > and I would never have been able to come up with your last > lines here. > > I have used www.netfilter.org to get where I am this far. > > I strongly advise you read Oskar Andreasson iptables tutorial at : > http://iptables-tutorial.frozentux.net/ This is a very good document, accessible for a beginner, that explains both syntax and concepts. A must read if you want to produce strong ruleset for Netfilter. > My question about your "full ruleset" of: > iptables -P INPUT DROP > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -i eth0 -m state --state NEW -j ACCEPT iptables -A > INPUT -i eth1 -m state --state NEW -p tcp --dport 21 --syn -j ACCEPT > This doesn't appear to cover TCP port 20 for ftp-data conns. Or would > that be covered by the RELATED tag? Yes, that's it. Matching states allows you to cope with connection initiation (NEW state), following packets (ESTABLISHED state) and, for protocols such as FTP, related connections establishment (RELATED state). RELATED state also covers ICMP errors. So my rules will cover full FTP session, both command and data connection, and ICMP error that could be raised during transit. You'll see Netfilter conntrack is very powerful as it allows you to produce strong ruleset easily. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! Thanks for the help and the link. I'm going to use your configuration and check out that site to educate myself further here.
