On Sun, 2012-12-09 at 12:14 -0800, Mike Wright wrote: > Hi all, > > I'm trying to make a usb scanner network available using "saned". The > machines involved are both running "saned -a". It works well until I > turn on iptables on the machine with the scanner. > > If I enable firewalling with port 6566 open the scanner initializes but > never proceeds beyond that point. > > I tried these: > > -A INPUT -p tcp -m tcp --dport 6566 -m conntrack --ctstate NEW -m helper > --helper "sane" -j ACCEPT > -A INPUT -p udp -m udp --dport 6566 -m conntrack --ctstate NEW -m helper > --helper "sane" -j ACCEPT That's only accepting the packet that initiates the connection. You'll need to allow subsequent related packets as well. Something like: -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT I don't know the "sane" protocol, so you might need to add RELATED as well. You'll also need to make sure that you're allowing the packets to return out as well (OUTPUT). Also, I consider the dport *and* helper match a bit of an overkill. I would just use the dport match, at least until it's working. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
