[ale] iptables issue

[JK]

Jason Lunz wrote:

> jknapka at kneuro.net said:
> 
>>>iptables -P INPUT DROP
>>>iptables -P OUTPUT DROP
>>>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http \
>>>	-m state --state NEW -j ACCEPT
>>>
>>>In the above configuration, ONLY packets that are part of inbound port
>>>80 tcp connections are allowed in or out.
>>
>>Right, but he *does* still need a rule in the OUTPUT chain to allow
>>related or established packets out.  I don't believe there's any way a
>>rule in the INPUT chain would ever also magically apply to the OUTPUT
>>chain.
> 
> 
> you mean like this one?
> 
> 
>>>iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Yes, exactly. In your reply to the original post
in this thread, you said he would *not* need
a rule in the OUTPUT chain, because the INPUT
rule would make that redundant:

| Jason Lunz wrote:
> jimpop at yahoo.com said:
> 
>>> I have an issue wrt iptables.  I use iptables to allow/deny access to a 
>>> website.  The tables are intended to allow all in to port 80 at address 
>>> WW.XX.YY.ZZ, and all replies back out from port 80 on same address.
>>>
>>> The command line used to create the rules is this:
>>>
>>> iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http
>>>       -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>>> iptables -A OUTPUT -p tcp -s WW.XX.YY.ZZ --sport http
>>>       -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> 
> the second rule is superfluous. It's implied by the ESTABLISHED in the
> first rule.

But you now seem to be saying something different?

Thanks,

-- JK