Re: ipchains question

To: Colin Watson <cjw44@flatline.org.uk>
Cc: debian-user@lists.debian.org
Subject: Re: ipchains question
From: Oswald Buddenhagen <ob6@inf.tu-dresden.de>
Date: Wed, 10 May 2000 11:15:42 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.21.0005101108190.861-100000@ugly.wh8.tu-dresden.de>
In-reply-to: <[🔎] E12pHwL-0003jm-00@riva.ucam.org>

> The person who said that connections are bi-directional was correct, but
> not in saying that you need a complementary output rule for everything
that depends on the definition of "complementary rule". ;-)
eg, these rules belong together and can be called complementary:

#talk-server
-A input -s x.y.z.0/24 -d x.y.z.a 517:518 -p 17 -j ACCEPT
-A output -s x.y.z.a 517:518 -d x.y.z.0/24 -p 17 -j ACCEPT

or this more common outgoing connection rule:

#ssh-client
-A output -s x.y.z.a -d x.0.0.0/8 22:22 -p 6 -j ACCEPT
-A input -s x.0.0.0/8 22:22 -d x.y.z.a -p 6 -j ACCEPT ! -y

of course, you can generalize:

#tcp
-A output -s x.y.z.a 1024:65535 -p 6 -j ACCEPT
-A input -d x.y.z.a 1024:65535 -p 6 -j ACCEPT ! -y


regards

-- 
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
--
Linux - the last service pack you'll ever need.

Reply to:

References:
- Re: ipchains question
  - From: cjw44@flatline.org.uk (Colin Watson)

Prev by Date: Howto search and replace...
Next by Date: Re: bigots - was Emacs - was Mail/news software
Previous by thread: Re: ipchains question
Next by thread: Serial programming question
Index(es):
- Date
- Thread