thank you i get it but what the useful in the first rule 1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED as long as connect via ssh i must make connection not a established connection so i understand that rule 1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED it is not useful isn't it ? "Gaddis, Jeremy L." <jeremy@xxxxxxxxxxxx> wrote: On 1/18/07, tamer amr wrote: > thank for replay > but i still cant understand the difference > > 1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > 2 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh > here i can ssh the host Of course you can. Your second rule is telling iptables to allow "NEW" ssh connections. The first rule will not match on *NEW* connections and is not involved in the "setting up" of new connections. > then i removed the seconed rule to be > 1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > here i cound not ssh this host Right, because you removed the rule that was permitting the connections in the first place. Flush your ruleset, run "iptables -vnL", and look at the counters. Connect in via SSH, then run "iptables -vnL" again and look at the counters. You'll see that the second rule is what's matching your *NEW* connection to 22/TCP. -- Jeremy L. Gaddis, MCP, GCWN http://www.linuxwiz.net/ -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list --------------------------------- Need Mail bonding? Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
