> Hi Jorge, > > Well, the scenary is that you want to allow outgoing traffic to tcp > port number 22 from your internal LAN. > > The rules suggested > > > 1) $ipt -P FORWARD DROP > 2) $ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > 3) $ipt -A FORWARD -m state --state NEW -p tcp --dport 22 -j ACCEPT > > > are for: > > 1) Apply a POLICY to DROP any packet that does not match any rule in > the chain (in this case, the FORWARD chain) > > 2) Allow incoming traffic in response to traffic generated from your > internal network or from the GNU/Linux router itself. If you does not > use that rule (the second rule) you will not able to "speak" with the > world > > 3) Allow packets marked with the SYN flag to travel to the world, but > if the second rule does not exists, the traffic in response to the > initial request to initiate a ssh sesion will not receive an answer > from the world. > > I suggest you try to understand the mechanics to establish a tcp sesion. Thanks alot! This inicial part helps. I know how to do basic filtering with input/output, and i was doing nat filtering with the PREROUTING chain and it was easy, now things got a bit complicated for me :-) i have to study again... last time i did this was more than 5 years ago, i have to RElearn iptables basics! jorge, -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
