On Thu, Sep 20, 2001 at 05:05:11AM +0200, Mathias Palm wrote: > ... > > > > > I use the connection-tracking support, so I can drop everything except > > traffic related to a connection I opened. This is what I use (NAT stuff > > omitted): > > > > iptables -t filter -P FORWARD ACCEPT > > iptables -t filter -P INPUT DROP > > iptables -t filter -P OUTPUT ACCEPT > > > > modprobe ip_conntrack > > modprobe ip_conntrack_ftp > > > > iptables -A INPUT -i ! eth0 -j ACCEPT # accept everything except from > > the big bad Internet > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > Sorry, I dont get that. The manpage says: > > ...ESTABLISHED meaning that the > packet is associated with a connection which has > seen packets in both directions... > ^^^^ > But if I initiate a connection, it shouldn't have seen packages in both > directions, should it? What am I missing?
Hmm, maybe the docs are wrong. --state ESTABLISHED,RELATED is the magic incantation recommended by the packet-filtering HOWTO. (file://localhost/usr/share/doc/iptables/html/packet-filtering-HOWTO-5.html) All I know for sure is that it works. > Another question: (from the manpage): > ...RELATED meaning that the packet is starting a new connection, > but is associated with an existing connection, such > as an FTP data transfer, or an ICMP error... > > How does iptables find out, that a newly initiated connection is related > to another existing one? By process number, by vicinity in time or > something other? It finds out by looking at the traffic in the connection. The ip_conntrack_ftp module has code that understands the FTP protocol, so it can see when and FTP command which will use a new port is sent. I hope they have some kind of optimization, like only looking at port 21 traffic, to avoid the overhead of trying to parse every TCP stream as FTP commands, but I don't know. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]