Re: DROP or REJECT with STATE flags
Il giorno mar, 26/04/2005 alle 09.21 -0400, Theodore Knab ha scritto:
> Is there any advantage/disadvantage of using state for DROPS and REJECTS ?
>
> I noticed I had the following rules which I really don't understand on my
> transparent bridge.`
>
> IPTABLES="/sbin/iptables"
> OINT="eth1"
>
> $IPTABLES -I FORWARD -m state --state INVALID -j DROP
> $IPTABLES -A FORWARD -p tcp -m state -m physdev --physdev-in $OINT -s 129.2.16.23/32 --destination-port 25 --state NEW,ESTABLISHED,RELATED -j REJECT
> $IPTABLES -A FORWARD -p tcp -m state -m physdev --physdev-in $OINT --destination-port 1:1024 --state NEW,ESTABLISHED,RELATED -j REJECT
> $IPTABLES -A FORWARD -p udp -m state -m physdev --physdev-in $OINT --destination-port 1:1024 --state NEW,ESTABLISHED,RELATED -j REJECT
It depends on the subsequent lines. I mean, line 1 is useful because you
want to drop invalid packets, right now w/o checking following rules.
Lines 2-4 are useful in a similar way, admitting your subsequent rules
can trap the same packets and lead them to a different target (i.e. DROP
instead of REJECT). However line 2 is surely useless, as the same
packets are trapped in a more general contest by line 3.
Ciao,
Gian Piero.
Reply to: