shouldn't the reply be taken care of by the established,related rule below ? (I am probably just missing something blatantly obvious) Peter ----- Original Message ----- From: "Antony Stone" <Antony@xxxxxxxxxxxxxxxxxxxx> To: "netfilter" <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Tuesday, June 29, 2004 3:46 PM Subject: Re: Established / related On Tuesday 29 June 2004 7:33 pm, Peter Marshall wrote: > I was wondering if there is a way to use established, related on a subchain > only. > > ex. ftp server behind firewall > > $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain > > $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT > > This does not seem to work .. It only seems to work when I have the > established,related line on the Forwared chain. I really cannot see why this should not do what you want (which presumably is to match only established or related packets going to $IPSERVER). The only thing which looks a little odd to me, which I wonder whether you've forgotten, is to make sure there is a rule for the reply packets coming back again from $IPSERVER? If that's not the problem, please give some more details on how you're testing it and why you think it doesn't work. Regards, Antony. -- "It would appear we have reached the limits of what it is possible to achieve with computer technology, although one should be careful with such statements; they tend to sound pretty silly in five years." - John von Neumann (1949) Please reply to the list; please don't CC me.