On Tuesday 08 June 2004 10:42 am, Feizhou wrote:
2. /sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
Forget about this. It makes things easier yes but it is too slow if you come under attack...but then you put everything on one box seemly so I guess you don't get much traffic.
How do you recommend dealing with reply packets instead?
I would create multiple chains
iptables -N tcp_packets and so on.
So to avoid loading the connection tracking module, I would put rules to handle return packets in the proper chain.
eg: iptables -A tcp_packets -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
Then i put tcp/udp/icmp packets to the proper chain
eg: iptables -A INPUT -p tcp -j tcp_packets
You could make a catch all for return packets like:
iptables -A INPUT -p tcp ! --syn -j ACCEPT
