From: "Peter Marshall" <peter.marshall@caris.com>
To: netfilter <netfilter@lists.netfilter.org>
Subject: Re: Established / related
Date: Tue, 29 Jun 2004 16:47:12 -0300 [thread overview]
Message-ID: <006a01c45e11$df1692b0$49caa8c0@caris.priv> (raw)
In-Reply-To: 200406292025.14289.Antony@Soft-Solutions.co.uk
Thank you for your help.
Peter
----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Tuesday, June 29, 2004 4:25 PM
Subject: Re: Established / related
On Tuesday 29 June 2004 8:12 pm, Peter Marshall wrote:
> shouldn't the reply be taken care of by the established,related rule
below?
No, because the reply will be coming *from* $IPSERVER, and your rule in the
FORWARD chain calling the user-defined chain only matches packets with
$IPSERVER as the destination address.
> (I am probably just missing something blatantly obvious)
Yes, I think so :)
Regards,
Antony.
PS: I've chosen the sig on this response specially for you :)
> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: "netfilter" <netfilter@lists.netfilter.org>
> Sent: Tuesday, June 29, 2004 3:46 PM
> Subject: Re: Established / related
>
> On Tuesday 29 June 2004 7:33 pm, Peter Marshall wrote:
> > I was wondering if there is a way to use established, related on a
>
> subchain
>
> > only.
> >
> > ex. ftp server behind firewall
> >
> > $IPTABLES -A FORWARD -d $IPSERVER -j ftpchain
> >
> > $IPTABLES -A ftpchain -p TCP -m state --state ESTABLISHED,RELATED -j
>
> ACCEPT
>
> > This does not seem to work .. It only seems to work when I have the
> > established,related line on the Forwared chain.
>
> I really cannot see why this should not do what you want (which presumably
> is
> to match only established or related packets going to $IPSERVER).
>
> The only thing which looks a little odd to me, which I wonder whether
> you've forgotten, is to make sure there is a rule for the reply packets
> coming back again from $IPSERVER?
>
> If that's not the problem, please give some more details on how you're
> testing
> it and why you think it doesn't work.
>
> Regards,
>
> Antony.
--
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.
Please reply to the
list;
please don't CC
me.
prev parent reply other threads:[~2004-06-29 19:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-29 18:33 Established / related Peter Marshall
2004-06-29 18:46 ` Antony Stone
2004-06-29 19:12 ` Peter Marshall
2004-06-29 19:25 ` Antony Stone
2004-06-29 19:47 ` Peter Marshall [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='006a01c45e11$df1692b0$49caa8c0@caris.priv' \
--to=peter.marshall@caris.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.