Hi Lukas, you should accept NEW connection for traffic you need. Rule "1" accept only connections which are initiated from " original host"---host which already sent NEW. You can to receive all trafic on particular port/from particular host and I think it will not be problem to make what you want Also, please take care that is necessary to reload rules ( do iptables -X -F -Z ) after you change something. Take a look into Cisco PIX, maybe there you have some limit For iptables reference see man iptables or Oscar Anderson Iptables manual Regards/Ahoj Elvir Kuric On Wed, May 6, 2009 at 11:13 AM, Slansky Lukas <Lukas.Slansky@xxxxxxx> wrote: > Hello, > we're using PG and Application Server (JBoss) on separate CentOS servers > with Cisco PIX in between. On DB side is iptable with following relevant > rules: > > 1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > 2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s > aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT > 3. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > > I was wondering when these rules are not OK for our environment. It > seems that rules 1 and 2 sometimes (probably for complicated queries) > pass packets and therefore these packets are rejected by rule 3. Such > connection is then in some weird state, doesn't communicate (obviously - > packets are dropped) and psql (or JBoss) connection is blocking for a > long time (at least few hours). > > Everything seems to be OK when I have changed rule 2 to "-A > RH-Firewall-1-INPUT -m tcp -p tcp -s aaa.bbb.ccc.ddd --dport 5432 -j > ACCEPT". > > I'm really confused - what other states are possible for iptables except > ESTABLISHED, RELATED or NEW? In iptables manpage is only INVALID, but > why is this state emerging? > > Any idea? > > Lukas > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
