On Thursday 15 July 2004 8:55 pm, Real Cucumber wrote:
> I do have a state rule already for allowing any
> established,related connections.
In that case you are already allowing ICMP :)
> So should I add another one such as:
>
> iptables -A FORWARD -p icmp -m state --state RELATED
> -j ACCEPT
No. ICMP messages which are RELATED to the existing SSH connections will get
matched by the final rule in this section of your rules:
# Allow previously initiated and accepted connections
# to bypass firewall tests (state matching)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Just out of interest, why do you have the first two of these rules, if you
have no INPUT or OUTPUT traffic?
Regards,
Antony.
--
Microsoft may sell more software than any other company, but McDonald's sell
more burgers than any other company, and I think the other similarities are
obvious...
Please reply to the list;
please don't CC me.
