iptables
Nigel Wade
nmw at ion.le.ac.uk
Fri Sep 15 15:03:58 UTC 2006
Patrick Derwael wrote:
> It looks like I need to rephrase my needs:
>
> I have a segment with 9 IPs (x.y.z.211-219).
> There may be no connection restriction between all those machines (all
> ports authorized)
>
> x.y.z.219 must be able to sent packets to the Net, and of course the
> returning packets must be allowed to reach the sender (219) back. I can't
> see the use to send packets out, if the sender can't get the answer
> back...
> With the current setup, the returning packets are dropped
>
> Question : how can I setup iptables in order to accept the returning
> packets if the connection has been started by x.y.z.219 (not if the
> connection is attempted from outside the authorized range) ?
>
> To put it differently, if I'm logged on the x.y.z.219, I must be able to
> surf to any website without entering the website's IP in iptables
> beforehand.
>
> I hope this clearer !!
>
> On Fri, September 15, 2006 4:14 pm, Chiu, PCM \(Peter\) said:
>
>>Patrick,
You need to add ESTABLISHED,RELATED rules to allow responses to connections
originating on the machine in question.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ESTABLISHED,RELATED allows packets which are part of an established TCP
connection i.e. the 3-way SYN-SYN/ACK-ACK has completed with no subsequent RST.
It also allows UDP packets from a source IP/port which was a destination
within the past 30s.
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw at ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
More information about the redhat-list
mailing list