Thx Cedric and this is my experience --------------------------------------- #!/bin/bash # #Interfaces IF0='192.168.0.67' IF1='192.168.10.67' #LAN's LAN0='192.168.0.0/24' LAN1='192.168.10.0/24' ############################################### #Flush all the tables service iptables stop #or this one #iptables -F OUTPUT #iptables -F FORWARD #iptables -F INPUT #allow everything go through iptables -P INPUT DROP iptables -P OUTPUT DROP #suite 1 //Does not worksfor data connection #iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT #iptables -t filter -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT #suite 2 //works for passive and active data connection #iptables -t filter -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT #iptables -t filter -A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT #iptables -t filter -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT #suite 3 //Does not worksfor data connection #iptables -t filter -A INPUT -i eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 21 -j ACCEPT #suite 4 //works for active data connections #iptables -t filter -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT #iptables -t filter -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT #iptables -t filter -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT #suite 5 //works for passive data connections iptables -t filter -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -t filter -A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t filter -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx> wrote: > > Le mar 06/04/2004 à 09:01, __ Radien__ a écrit : > > ByTheWay, about ftp service, do u mean that w/ iptables I can set such > > rules that can detect and pass the data connection corresponding to > > existing control-connection further than ordinary accepting > > control-conneciton to fwd. > > Does RELATED state match such cases? > > Yes. > For FTP, the date connection first packet will have RELATED state, for > it complies to informations that were gathered within control connection > by ip_conntrack_ftp module, allowing you to match and accept it. > > -- > http://www.netexit.com/~sid/ > PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE > >> Hi! I'm your friendly neighbourhood signature virus. > >> Copy me to your signature file and help me spread! > But, what does RELATED state good for other services? what is it's application? Regards __Radien__
