Re: iptables woes on woody, not accepting inbound connections

To: debian-user@lists.debian.org
Subject: Re: iptables woes on woody, not accepting inbound connections
From: Richard Downer <rd-debian@frontiertown.co.uk>
Date: Wed, 23 Jul 2003 09:24:28 +0100
Message-id: <[🔎] pan.2003.07.23.08.24.28.343414@frontiertown.co.uk>
References: <[🔎] 1058914608.748.2.camel@stimpy>

Hi Mark,

On Tue, 22 Jul 2003 23:56:48 +0100, Mark C wrote:

> I can do outbound nslookup requests no problem, but it now fails to
> allow inbound connections at all, to either port 80 or port 22.

At a quick look I think the problem is here.....

> /sbin/iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m
> state --state NEW -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m
> state --state NEW -j ACCEPT

These rules will allow incoming connections to ports 22 and 80, BUT the
--state rule limits this to only new connections.  Once the connection is
established, this rule is ignored.  So your external clients can connect
to the server, but cannot send any actual data to it!

I think you need an additional rule which looks like this:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

(I haven't tried any of this out btw; it's just some educated guesswork
after looking at your firewall rules.)

-- 
rd.

Reply to:

References:
- iptables woes on woody, not accepting inbound connections
  - From: Mark C <lists@funkypenguin.net>

Prev by Date: xterm colour codes
Next by Date: Re: Postfix
Previous by thread: Re: iptables woes on woody, not accepting inbound connections
Next by thread: php4 and apache
Index(es):
- Date
- Thread