On Tuesday 29 June 2004 8:12 pm, Peter Marshall wrote:
> shouldn't the reply be taken care of by the established,related rule below?
No, because the reply will be coming *from* $IPSERVER, and your rule in the
FORWARD chain calling the user-defined chain only matches packets with
$IPSERVER as the destination address.
> (I am probably just missing something blatantly obvious)
Yes, I think so :)
Regards,
Antony.
PS: I've chosen the sig on this response specially for you :)
> ----- Original Message -----
> From: "Antony Stone" <Antony@xxxxxxxxxxxxxxxxxxxx>
> To: "netfilter" <netfilter@xxxxxxxxxxxxxxxxxxx>
> Sent: Tuesday, June 29, 2004 3:46 PM
> Subject: Re: Established / related
>
> On Tuesday 29 June 2004 7:33 pm, Peter Marshall wrote:
> > I was wondering if there is a way to use established, related on a
>
> subchain
>
> > only.
> >
> > ex. ftp server behind firewall
> >
> > $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain
> >
> > $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j
>
> ACCEPT
>
> > This does not seem to work .. It only seems to work when I have the
> > established,related line on the Forwared chain.
>
> I really cannot see why this should not do what you want (which presumably
> is
> to match only established or related packets going to $IPSERVER).
>
> The only thing which looks a little odd to me, which I wonder whether
> you've forgotten, is to make sure there is a rule for the reply packets
> coming back again from $IPSERVER?
>
> If that's not the problem, please give some more details on how you're
> testing
> it and why you think it doesn't work.
>
> Regards,
>
> Antony.
--
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.
Please reply to the list;
please don't CC me.
