From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrik Hildingsson ph@kurd.nu Date: Wed, 28 Feb 2001 18:37:06 +0000 Subject: [LARTC] Another newbyish question I'm afraid, -m state --state matters Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org 
Please post this on the netfilter mailinglist instead of here as this is an
iproute2-mailinglist, not dedicated to iproute2.

See more info at http://netfilter.samba.org

use iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport ! 22 -j
DROP

/Patrik

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Paul Wouters
Sent: den 28 februari 2001 18:07
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Another newbyish question I'm afraid, -m state --state
matters


I'd like to be able to deny all new connections to a firewall, with the
exception of port 22 (sshd) and some ports I'd like to forward internally.

Now, there is this nice feature Rusty describes to do that:

iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

However, it seems I can't make a rule that is using the state AND a
source/dest
port in there. Eg the following won't work:

iptables -A INPUT -i eth0 -m state --state NEW,INVALID --dport 22 -j DROP
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID --dport 25 -j
ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

Anyone? :)

Paul
--
Just patent your virus and sue the anti-virus companies for reverse
enineering it.
                  --- cne_pc@youknowwhattodo.yahoo.com, in response to
Norton's
                      patent on "software updates"


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/