[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables config

...

> 
>  I use the connection-tracking support, so I can drop everything except
> traffic related to a connection I opened.  This is what I use (NAT stuff
> omitted):
> 
> 	iptables -t filter -P FORWARD ACCEPT
> 	iptables -t filter -P INPUT DROP
> 	iptables -t filter -P OUTPUT ACCEPT
> 
> 	modprobe ip_conntrack
> 	modprobe ip_conntrack_ftp
> 
> 	iptables -A INPUT -i ! eth0 -j ACCEPT  # accept everything except from the big bad Internet
> 	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Sorry, I dont get that. The manpage says:

...ESTABLISHED meaning that the
packet is associated with a  connection  which  has
seen  packets  in both directions...
                  ^^^^
But if I initiate a connection, it shouldn't have seen packages in both
directions, should it? What am I missing?

Another question: (from the manpage):
...RELATED  meaning  that  the packet is starting a new connection,
but is associated with an existing connection, such
as an FTP data transfer, or an ICMP error...

How does iptables find out, that a newly initiated connection is related 
to another existing one? By process number, by vicinity in time or
something other? 

All the best
Mathias


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: