Hi, On Tue, 5 Jul 2005 15:52:20 +0200 (CEST) "Patrick Marquetecken" <[EMAIL PROTECTED]> wrote:
> If Im correct then iptables is statefull connection capable, this means I > should not use rules like: > If state of connection is ESTABLISHED ... > If state of connection is RELATED ... > > and i my use only: > If protocol is TCP and source is bla bla and destination port is bla bla > and state of connection is NEW All of the mentioned rules are related to stateful connection matching. You probably want all ESTABLISHED and RELATED traffic in both the incoming and outgoing direction, and NEW connections only outgoing. Additional you'll probably want NEW connections also in the incoming direction for the services you want to offer - that's how I interpret your last sentence. But you'll definately want ESTABLISHED and RELATED, too. Concept usually is: INPUT: - allow ESTABLISHED,RELATED - allow NEW for selected services FORWARD: - allow NEW,ESTABLISHED,RELATED from LAN to WAN - allow ESTABLISHED,RELATED from WAN to LAN OUTPUT: - allow NEW,ESTABLISHED,RELATED where OUTPUT rules are optional if OUTPUT's policy is set to ACCEPT. Current connections being monitored are listed and accessible in procfs. When playing with Linux as a router for UDP traffic, you may want to play with the state matching related sysctl's (also accessible via procfs) to adjust the timespan that the information is held. My VPN connections from LAN to WAN tend to time out otherwise. But that's just a side note. -hwh -- gentoo-user@gentoo.org mailing list
