shouldn't the reply be taken care of by the established,related rule below ?
(I am probably just missing something blatantly obvious)
Peter
----- Original Message -----
From: "Antony Stone" <Antony@xxxxxxxxxxxxxxxxxxxx>
To: "netfilter" <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Tuesday, June 29, 2004 3:46 PM
Subject: Re: Established / related
On Tuesday 29 June 2004 7:33 pm, Peter Marshall wrote:
> I was wondering if there is a way to use established, related on a
subchain
> only.
>
> ex. ftp server behind firewall
>
> $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain
>
> $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j
ACCEPT
>
> This does not seem to work .. It only seems to work when I have the
> established,related line on the Forwared chain.
I really cannot see why this should not do what you want (which presumably
is
to match only established or related packets going to $IPSERVER).
The only thing which looks a little odd to me, which I wonder whether you've
forgotten, is to make sure there is a rule for the reply packets coming back
again from $IPSERVER?
If that's not the problem, please give some more details on how you're
testing
it and why you think it doesn't work.
Regards,
Antony.
--
"It would appear we have reached the limits of what it is possible to
achieve
with computer technology, although one should be careful with such
statements; they tend to sound pretty silly in five years."
- John von Neumann (1949)
Please reply to the
list;
please don't CC
me.
