On Fri, Jun 10, 2005 at 09:13:36PM +0200, Rob Sterenborg wrote:
> In that case I don't understand why both rules seem to do the same job.
> Both :
>
> $ipt -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
>
> and :
>
> $ipt -A INPUT -i eth0 -m state --state NEW -p tcp --dport 22 -j ACCEPT
>
> only work in combination with :
>
> $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> At least, here it does.
just tested:
# iptables-save
# Generated by iptables-save v1.3.1 on Sat Jun 11 01:47:21 2005
*filter
:INPUT DROP [13:1519]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [88:8463]
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Sat Jun 11 01:47:21 2005
i can both ping and ssh to this machine. the only thing i can
think of that would lead you to believe that you need the "--state
RELATED,ESTABLISHED" rule in INPUT is because without it--the replies
to the OUTPUT packets will be dropped. things like responses to DNS
queries which will make your ssh connection take much longer if you have
"UseDNS yes" in sshd_config. just a thought.
-j
--
"Stewie: Mark my words, your uppance shall come."
--Family Guy
