[ale] iptables issue
JK
jknapka at kneuro.net
Mon Jul 17 00:21:56 EDT 2006
Jim Popovitch wrote:
> I have an issue wrt iptables. I use iptables to allow/deny access to a
> website. The tables are intended to allow all in to port 80 at address
> WW.XX.YY.ZZ, and all replies back out from port 80 on same address.
>
> The command line used to create the rules is this:
>
> iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http
> -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s WW.XX.YY.ZZ --sport http
> -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> The above rules work 98% of the time, however I see periodic failures
> (REJECTS) logged from outbound data back to what I believe to be proxies
> at all the major ISPs.
>
> I'm inclined to remove the "state" options from the above rules, but I
> can't figure out what doing so is necessary. Any thoughts?
You need the --state rule for the OUTPUT chain in order
for any of your server's reply packets to get back to
the clients (assuming there's no other rule that will
let packets escape to the world). It says "let anything
out that's associated with an established connection, eg
responses to client requests". You shouldn't need
any --state rule for the INPUT chain, though;
iptables -A INPUT -p tcp -d <here> --dport http -j ACCEPT
should be fine. Though that is slightly less
restrictive than the original rule; the --state-less
rule, for example, would allow an ACK packet from
a host with no established connection, whereas IIRC
the --state part of the original rule ensures that
only SYN packets and packets associated with established
connections are allows in.
As for your REJECT issues, are you sure the packets
aren't being rejected by something earlier in the
chain? It's hard to know exactly what is going on
without seeing the entire ruleset.
Cheers,
-- JK
More information about the Ale
mailing list