From mboxrd@z Thu Jan  1 00:00:00 1970
From: Arthur van Leeuwen arthurvl@sci.kun.nl
Date: Thu, 01 Mar 2001 09:21:17 +0000
Subject: [LARTC] Another newbyish question I'm afraid, -m state --state
Message-Id: <marc-lartc-98373940417070@msgid-missing>
List-Id: <lartc.vger.kernel.org>
References: <marc-lartc-98373940417067@msgid-missing>
In-Reply-To: <marc-lartc-98373940417067@msgid-missing>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org

<PRE>On Wed, 28 Feb 2001, Paul Wouters wrote:

&gt;<i> I'd like to be able to deny all new connections to a firewall, with the
</I>&gt;<i> exception of port 22 (sshd) and some ports I'd like to forward internally.
</I>
&gt;<i> However, it seems I can't make a rule that is using the state
</I>&gt;<i> AND a source/dest port in there. Eg the following won't work:
</I>&gt;<i>
</I>&gt;<i> iptables -A INPUT -i eth0 -m state --state NEW,INVALID --dport 22 -j DROP
</I>&gt;<i> iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
</I>&gt;<i> iptables -A FORWARD -i eth0 -m state --state NEW,INVALID --dport 25 -j ACCEPT
</I>&gt;<i> iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
</I>&gt;<i>
</I>&gt;<i> Anyone? :)
</I>
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,INVALID -j DROP
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

--sport and --dport need the -p tcp or -p udp flags to be set, as source and
destination ports may not make sense for certain protocols, most notably
ICMP.

Doei, Arthur.

-- 
  /\    / |      <A HREF="mailto:arthurvl@sci.kun.nl">arthurvl@sci.kun.nl</A>      | Work like you don't need the money
 /__\  /  | A friend is someone with whom | Love like you have never been hurt
/    \/__ | you can dare to be yourself   | Dance like there's nobody watching



</PRE>