On Tuesday 05 July 2005 14:00, Daniel Pittman wrote:
> /sbin/iptables -t filter -A in_world_http_s1 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -t filter -A out_world_http_s1 -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Note that if you don't allow RELATED packets for _all_ connections, you
will have to explicitly allow at least fragmentation-needed icmp packets.
Otherwise you will get problems with PMTU discovery which will lead to
other obscure problems. Allowing some other icmp packets is probably a
good idea as well (e.g. all destination-unreachable packets).