John O'Loughlin wrote:
ESTABLISHED,RELATED allows packets which are part of an established
TCP connection i.e. the 3-way SYN-SYN/ACK-ACK has completed with no
subsequent RST. It also allows UDP packets from a source IP/port
which was a destination within the past 30s.
The ESTABLISHED state doesn't just apply to packets in an established
tcp connection though, it also allows packets which are part of the
initial connection exchange, the syn-ack packet, otherwise you would
also need rules to allow out these packets.
True, this is needed to allow the SYN-ACK back in. The initial outgoing SYN
requires an explicit OUTPUT ACCEPT somewhere in the chain.
You can see the ip_conntrack module working in /proc/net/ip_conntrack
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@xxxxxxxxxxxx
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
