* Established / related @ 2004-06-29 18:33 Peter Marshall 2004-06-29 18:46 ` Antony Stone 0 siblings, 1 reply; 5+ messages in thread From: Peter Marshall @ 2004-06-29 18:33 UTC (permalink / raw) To: netfilter I was wondering if there is a way to use established, related on a subchain only. ex. ftp server behind firewall $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT This does not seem to work .. It only seems to work when I have the established,related line on the Forwared chain. Thanks for the help. Peter ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Established / related 2004-06-29 18:33 Established / related Peter Marshall @ 2004-06-29 18:46 ` Antony Stone 2004-06-29 19:12 ` Peter Marshall 0 siblings, 1 reply; 5+ messages in thread From: Antony Stone @ 2004-06-29 18:46 UTC (permalink / raw) To: netfilter On Tuesday 29 June 2004 7:33 pm, Peter Marshall wrote: > I was wondering if there is a way to use established, related on a subchain > only. > > ex. ftp server behind firewall > > $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain > > $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT > > This does not seem to work .. It only seems to work when I have the > established,related line on the Forwared chain. I really cannot see why this should not do what you want (which presumably is to match only established or related packets going to $IPSERVER). The only thing which looks a little odd to me, which I wonder whether you've forgotten, is to make sure there is a rule for the reply packets coming back again from $IPSERVER? If that's not the problem, please give some more details on how you're testing it and why you think it doesn't work. Regards, Antony. -- "It would appear we have reached the limits of what it is possible to achieve with computer technology, although one should be careful with such statements; they tend to sound pretty silly in five years." - John von Neumann (1949) Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Established / related 2004-06-29 18:46 ` Antony Stone @ 2004-06-29 19:12 ` Peter Marshall 2004-06-29 19:25 ` Antony Stone 0 siblings, 1 reply; 5+ messages in thread From: Peter Marshall @ 2004-06-29 19:12 UTC (permalink / raw) To: netfilter shouldn't the reply be taken care of by the established,related rule below ? (I am probably just missing something blatantly obvious) Peter ----- Original Message ----- From: "Antony Stone" <Antony@Soft-Solutions.co.uk> To: "netfilter" <netfilter@lists.netfilter.org> Sent: Tuesday, June 29, 2004 3:46 PM Subject: Re: Established / related On Tuesday 29 June 2004 7:33 pm, Peter Marshall wrote: > I was wondering if there is a way to use established, related on a subchain > only. > > ex. ftp server behind firewall > > $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain > > $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT > > This does not seem to work .. It only seems to work when I have the > established,related line on the Forwared chain. I really cannot see why this should not do what you want (which presumably is to match only established or related packets going to $IPSERVER). The only thing which looks a little odd to me, which I wonder whether you've forgotten, is to make sure there is a rule for the reply packets coming back again from $IPSERVER? If that's not the problem, please give some more details on how you're testing it and why you think it doesn't work. Regards, Antony. -- "It would appear we have reached the limits of what it is possible to achieve with computer technology, although one should be careful with such statements; they tend to sound pretty silly in five years." - John von Neumann (1949) Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Established / related 2004-06-29 19:12 ` Peter Marshall @ 2004-06-29 19:25 ` Antony Stone 2004-06-29 19:47 ` Peter Marshall 0 siblings, 1 reply; 5+ messages in thread From: Antony Stone @ 2004-06-29 19:25 UTC (permalink / raw) To: netfilter On Tuesday 29 June 2004 8:12 pm, Peter Marshall wrote: > shouldn't the reply be taken care of by the established,related rule below? No, because the reply will be coming *from* $IPSERVER, and your rule in the FORWARD chain calling the user-defined chain only matches packets with $IPSERVER as the destination address. > (I am probably just missing something blatantly obvious) Yes, I think so :) Regards, Antony. PS: I've chosen the sig on this response specially for you :) > ----- Original Message ----- > From: "Antony Stone" <Antony@Soft-Solutions.co.uk> > To: "netfilter" <netfilter@lists.netfilter.org> > Sent: Tuesday, June 29, 2004 3:46 PM > Subject: Re: Established / related > > On Tuesday 29 June 2004 7:33 pm, Peter Marshall wrote: > > I was wondering if there is a way to use established, related on a > > subchain > > > only. > > > > ex. ftp server behind firewall > > > > $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain > > > > $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j > > ACCEPT > > > This does not seem to work .. It only seems to work when I have the > > established,related line on the Forwared chain. > > I really cannot see why this should not do what you want (which presumably > is > to match only established or related packets going to $IPSERVER). > > The only thing which looks a little odd to me, which I wonder whether > you've forgotten, is to make sure there is a rule for the reply packets > coming back again from $IPSERVER? > > If that's not the problem, please give some more details on how you're > testing > it and why you think it doesn't work. > > Regards, > > Antony. -- 90% of networking problems are routing problems. 9 of the remaining 10% are routing problems in the other direction. The remaining 1% might be something else, but check the routing anyway. Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Established / related 2004-06-29 19:25 ` Antony Stone @ 2004-06-29 19:47 ` Peter Marshall 0 siblings, 0 replies; 5+ messages in thread From: Peter Marshall @ 2004-06-29 19:47 UTC (permalink / raw) To: netfilter Thank you for your help. Peter ----- Original Message ----- From: "Antony Stone" <Antony@Soft-Solutions.co.uk> To: "netfilter" <netfilter@lists.netfilter.org> Sent: Tuesday, June 29, 2004 4:25 PM Subject: Re: Established / related On Tuesday 29 June 2004 8:12 pm, Peter Marshall wrote: > shouldn't the reply be taken care of by the established,related rule below? No, because the reply will be coming *from* $IPSERVER, and your rule in the FORWARD chain calling the user-defined chain only matches packets with $IPSERVER as the destination address. > (I am probably just missing something blatantly obvious) Yes, I think so :) Regards, Antony. PS: I've chosen the sig on this response specially for you :) > ----- Original Message ----- > From: "Antony Stone" <Antony@Soft-Solutions.co.uk> > To: "netfilter" <netfilter@lists.netfilter.org> > Sent: Tuesday, June 29, 2004 3:46 PM > Subject: Re: Established / related > > On Tuesday 29 June 2004 7:33 pm, Peter Marshall wrote: > > I was wondering if there is a way to use established, related on a > > subchain > > > only. > > > > ex. ftp server behind firewall > > > > $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain > > > > $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j > > ACCEPT > > > This does not seem to work .. It only seems to work when I have the > > established,related line on the Forwared chain. > > I really cannot see why this should not do what you want (which presumably > is > to match only established or related packets going to $IPSERVER). > > The only thing which looks a little odd to me, which I wonder whether > you've forgotten, is to make sure there is a rule for the reply packets > coming back again from $IPSERVER? > > If that's not the problem, please give some more details on how you're > testing > it and why you think it doesn't work. > > Regards, > > Antony. -- 90% of networking problems are routing problems. 9 of the remaining 10% are routing problems in the other direction. The remaining 1% might be something else, but check the routing anyway. Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-06-29 19:47 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-06-29 18:33 Established / related Peter Marshall 2004-06-29 18:46 ` Antony Stone 2004-06-29 19:12 ` Peter Marshall 2004-06-29 19:25 ` Antony Stone 2004-06-29 19:47 ` Peter Marshall
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.