Patrick Derwael wrote:
It looks like I need to rephrase my needs:
I have a segment with 9 IPs (x.y.z.211-219).
There may be no connection restriction between all those machines (all
ports authorized)
x.y.z.219 must be able to sent packets to the Net, and of course the
returning packets must be allowed to reach the sender (219) back. I can't
see the use to send packets out, if the sender can't get the answer
back...
With the current setup, the returning packets are dropped
Question : how can I setup iptables in order to accept the returning
packets if the connection has been started by x.y.z.219 (not if the
connection is attempted from outside the authorized range) ?
To put it differently, if I'm logged on the x.y.z.219, I must be able to
surf to any website without entering the website's IP in iptables
beforehand.
I hope this clearer !!
On Fri, September 15, 2006 4:14 pm, Chiu, PCM \(Peter\) said:
Patrick,
You need to add ESTABLISHED,RELATED rules to allow responses to connections
originating on the machine in question.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ESTABLISHED,RELATED allows packets which are part of an established TCP
connection i.e. the 3-way SYN-SYN/ACK-ACK has completed with no subsequent RST.
It also allows UDP packets from a source IP/port which was a destination
within the past 30s.
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@xxxxxxxxxxxx
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
