Hello everyone I have a protocol that does the following: hostA hostB IPv4 source address 1 IPv4 destination address 2 Random UDP source port x -----------> well-known UDP port A Random UDP destination port x <----------- Random UDP source port y so basically, it is some kind of "request-reply" protocol where the reply is sent back to the random source port of the request. I'd like to have an input chain (type filter, hook input) with a default policy that drops everything. Then, I'd like to accept specific services/ports only. Is it possible to do this for the above scenario? I obviously cannot add a simple rule based on "daddr" and "dport" as the destination port of the incoming reply is random. I've tried to do: ip daddr 10.10.1.100 ct state established,related accept (I also want to restrict the destination address of incoming packets as the system can have multiple networks on the same physical device) but this a) is not related to the well-known destination port of the request (so not restricted to this specific protocol) and b) doesn't work anyway... I was thinking if it's possible to tell netfilter that the pair "destination port + source address" of the request is a "connection". So that it maybe links the source port to this connection as well and afterwards, when it sees the source port and source address as destinations it may associate this incoming packet to my connection (and i could tell it to accept incoming packets for this connection). I hope you can understand what I'm trying to archive and can help me with! Kind regards Dominique
