This is what I-ve got Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 127.0.0.1 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 xxx icmp type 8 state NEW,RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 xxx icmp type 0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 xxx tcp spts:1024:65535 dpt:22 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 xxx tcp spts:1024:65535 dpts:2370:2371 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 xxx tcp spts:1024:65535 dpt:1521 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 xxx tcp spts:1024:65535 dpt:5901 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 xxx tcp spts:1024:65535 dpts:9006:9007 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 xxx tcp spts:1024:65535 dpt:21 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 xxx tcp spts:1024:65535 dpt:20 state NEW,RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 xxx udp spts:1024:65535 dpts:67:68 ACCEPT udp -- 0.0.0.0/0 xxx udp spt:53 dpts:1024:65535 ACCEPT udp -- 0.0.0.0/0 xxx udp spt:53 dpt:53 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 127.0.0.1 0.0.0.0/0 ACCEPT icmp -- xxx 0.0.0.0/0 icmp type 0 state RELATED,ESTABLISHED ACCEPT icmp -- xxx 0.0.0.0/0 icmp type 8 state NEW,RELATED,ESTABLISHED ACCEPT udp -- xxx 0.0.0.0/0 udp spts:1024:65535 dpt:53 ACCEPT udp -- xxx 0.0.0.0/0 udp spt:53 dpt:53 I create the rules like this $IPTABLES -F $IPTABLES -Z $IPTABLES -X $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP Then something like this for puerto in $TCP do $IPTABLES -A INPUT -p tcp -s $LAN -d $D_IN \ --dport $puerto -m state --state NEW,ESTABLISHED -j ACCEPT done for puerto in $UDP do $IPTABLES -A INPUT -p udp -s $LAN -d $D_IN \ --dport $puerto -m state --state NEW,ESTABLISHED -j ACCEPT done } Thanks for your help Best Regards 2012/8/27 叶雨飞 <sunyucong@xxxxxxxxx>: > the second rule is not needed, it's being shown that it has matched 0 > packet anyway. > > Do you have anything else in other table? like raw/nat ? > > On Mon, Aug 27, 2012 at 12:51 PM, Net Warrior <netwarrior863@xxxxxxxxx> wrote: >> Hi there. >> I've got a simple question regarding ssh configuration. >> Reading the documentation and googling, It seems that to enable ssh is >> the simple thing in the world, I've got this. >> >> $IPTABLES -A INPUT -i $ETH_PRIMARY -p tcp -s $ANY_MACHINE\ >> --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT >> >> With this rule I can connec to the machine, so far so good, now if I >> want to do scp or to scp to another machine I get blocked, >> I permit ALL the output chain. >> >> The only way I'm able to do ssh to another host or do scp is by adding this >> >> $IPTABLES -A INPUT -i $ETH_PRIMARY -p tcp -s $ANY_MACHINE\ >> --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT >> >> So I've got this >> 8 560 ACCEPT tcp -- eth0 * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED >> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 >> 0.0.0.0/0 tcp spt:22 state NEW,ESTABLISHED >> With this two rules I can ssh to another host and do scp, I'm confused >> cuz all the examples I've been reading do not >> talk to enable both, only destination port. >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> >> Is this the right way or I'm missing reading something? >> >> Thanks in advance >> Best Regards >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html