[ale] iptables issue
JK
jknapka at kneuro.net
Mon Jul 17 15:40:50 EDT 2006
Jason Lunz wrote:
> jknapka at kneuro.net said:
>
>>>iptables -P INPUT DROP
>>>iptables -P OUTPUT DROP
>>>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http \
>>> -m state --state NEW -j ACCEPT
>>>
>>>In the above configuration, ONLY packets that are part of inbound port
>>>80 tcp connections are allowed in or out.
>>
>>Right, but he *does* still need a rule in the OUTPUT chain to allow
>>related or established packets out. I don't believe there's any way a
>>rule in the INPUT chain would ever also magically apply to the OUTPUT
>>chain.
>
>
> you mean like this one?
>
>
>>>iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Yes, exactly. In your reply to the original post
in this thread, you said he would *not* need
a rule in the OUTPUT chain, because the INPUT
rule would make that redundant:
| Jason Lunz wrote:
> jimpop at yahoo.com said:
>
>>> I have an issue wrt iptables. I use iptables to allow/deny access to a
>>> website. The tables are intended to allow all in to port 80 at address
>>> WW.XX.YY.ZZ, and all replies back out from port 80 on same address.
>>>
>>> The command line used to create the rules is this:
>>>
>>> iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http
>>> -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>>> iptables -A OUTPUT -p tcp -s WW.XX.YY.ZZ --sport http
>>> -m state --state RELATED,ESTABLISHED -j ACCEPT
>
>
> the second rule is superfluous. It's implied by the ESTABLISHED in the
> first rule.
But you now seem to be saying something different?
Thanks,
-- JK
More information about the Ale
mailing list