Re: specifying -m state --state NEW (Was : --policy DROP kills everything?)

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: specifying -m state --state NEW (Was : --policy DROP kills everything?)
Date: Fri, 10 Jun 2005 16:13:04 -0400	[thread overview]
Message-ID: <20050610201304.GA6825@bender.817west.com> (raw)
In-Reply-To: <1118430816.8207.44.camel@sonea.sterenborg.info>

On Fri, Jun 10, 2005 at 09:13:36PM +0200, Rob Sterenborg wrote:
> In that case I don't understand why both rules seem to do the same job.
> Both :
> 
> $ipt -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
> 
> and :
> 
> $ipt -A INPUT -i eth0 -m state --state NEW -p tcp --dport 22 -j ACCEPT
> 
> only work in combination with :
> 
> $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> At least, here it does.

just tested:

  # iptables-save
  # Generated by iptables-save v1.3.1 on Sat Jun 11 01:47:21 2005
  *filter
  :INPUT DROP [13:1519]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [88:8463]
  -A INPUT -p icmp -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
  COMMIT
  # Completed on Sat Jun 11 01:47:21 2005

i can both ping and ssh to this machine.  the only thing i can
think of that would lead you to believe that you need the "--state
RELATED,ESTABLISHED" rule in INPUT is because without it--the replies
to the OUTPUT packets will be dropped.  things like responses to DNS
queries which will make your ssh connection take much longer if you have
"UseDNS yes" in sshd_config.  just a thought.

-j

--
"Stewie: Mark my words, your uppance shall come."
        --Family Guy

next prev parent reply	other threads:[~2005-06-10 20:13 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-06-08 21:11 --policy DROP kills everything? David Busby
2005-06-08 22:02 ` Rob Sterenborg
2005-06-08 23:32   ` David Busby
2005-06-09  6:26     ` Rob Sterenborg
2005-06-10 18:08       ` Jason Opperisano
2005-06-10 19:13         ` specifying -m state --state NEW (Was : --policy DROP kills everything?) Rob Sterenborg
2005-06-10 19:33           ` Jason Opperisano
2005-06-10 20:31             ` Rob Sterenborg
2005-06-10 20:13           ` Jason Opperisano [this message]
2005-06-10 14:48 ` --policy DROP kills everything? Steven M Campbell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050610201304.GA6825@bender.817west.com \
    --to=opie@817west.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox