[ale] iptables issue
Jim Popovitch
jimpop at yahoo.com
Mon Jul 17 00:24:22 EDT 2006
Jason Lunz wrote:
> jimpop at yahoo.com said:
>> I have an issue wrt iptables. I use iptables to allow/deny access to a
>> website. The tables are intended to allow all in to port 80 at address
>> WW.XX.YY.ZZ, and all replies back out from port 80 on same address.
>>
>> The command line used to create the rules is this:
>>
>> iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http
>> -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>> iptables -A OUTPUT -p tcp -s WW.XX.YY.ZZ --sport http
>> -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> the second rule is superfluous. It's implied by the ESTABLISHED in the
> first rule.
Are you sure of that? Every firewall example I've ever seen shows rules
for both directions.
>> The above rules work 98% of the time, however I see periodic failures
>> (REJECTS) logged from outbound data back to what I believe to be proxies
>> at all the major ISPs.
>
> what exactly is logged?
Events like this:
OUTPUT BLOCKED: IN= OUT=eth1 SRC=WW.XX.YY.ZZ DST=AA.BB.CC.DD LEN=255
TOS=0x00 PREC=0x00 TTL=64 ID=52863 DF PROTO=TCP SPT=80 DPT=4091
WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
Thanks,
-Jim P.
More information about the Ale
mailing list