Re: Established / related

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thank you for your help.

Peter


----- Original Message ----- 
From: "Antony Stone" <Antony@xxxxxxxxxxxxxxxxxxxx>
To: "netfilter" <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Tuesday, June 29, 2004 4:25 PM
Subject: Re: Established / related


On Tuesday 29 June 2004 8:12 pm, Peter Marshall wrote:

> shouldn't the reply be taken care of by the established,related rule
below?

No, because the reply will be coming *from* $IPSERVER, and your rule in the
FORWARD chain calling the user-defined chain only matches packets with
$IPSERVER as the destination address.

> (I am probably just missing something blatantly obvious)

Yes, I think so :)

Regards,

Antony.

PS: I've chosen the sig on this response specially for you :)

> ----- Original Message -----
> From: "Antony Stone" <Antony@xxxxxxxxxxxxxxxxxxxx>
> To: "netfilter" <netfilter@xxxxxxxxxxxxxxxxxxx>
> Sent: Tuesday, June 29, 2004 3:46 PM
> Subject: Re: Established / related
>
> On Tuesday 29 June 2004 7:33 pm, Peter Marshall wrote:
> > I was wondering if there is a way to use established, related on a
>
> subchain
>
> > only.
> >
> > ex.  ftp server behind firewall
> >
> > $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain
> >
> > $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j
>
> ACCEPT
>
> > This does not seem to work .. It only seems to work when I have the
> > established,related line on the Forwared chain.
>
> I really cannot see why this should not do what you want (which presumably
> is
> to match only established or related packets going to $IPSERVER).
>
> The only thing which looks a little odd to me, which I wonder whether
> you've forgotten, is to make sure there is a rule for the reply packets
> coming back again from $IPSERVER?
>
> If that's not the problem, please give some more details on how you're
> testing
> it and why you think it doesn't work.
>
> Regards,
>
> Antony.

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

                                                     Please reply to the
list;
                                                           please don't CC
me.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux