iptables

[Nigel Wade]

Patrick Derwael wrote:
> It looks like I need to rephrase my needs:
> 
> I have a segment with 9 IPs (x.y.z.211-219).
> There may be no connection restriction between all those machines (all
> ports authorized)
> 
> x.y.z.219 must be able to sent packets to the Net, and of course the
> returning packets must be allowed to reach the sender (219) back. I can't
> see the use to send packets out, if the sender can't get the answer
> back...
> With the current setup, the returning packets are dropped
> 
> Question : how can I setup iptables in order to accept the returning
> packets if the connection has been started by x.y.z.219 (not if the
> connection is attempted from outside the authorized range) ?
> 
> To put it differently, if I'm logged on the x.y.z.219, I must be able to
> surf to any website without entering the website's IP in iptables
> beforehand.
> 
> I hope this clearer !!
> 
> On Fri, September 15, 2006 4:14 pm, Chiu, PCM \(Peter\) said:
> 
>>Patrick,

You need to add ESTABLISHED,RELATED rules to allow responses to connections 
originating on the machine in question.

iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

ESTABLISHED,RELATED allows packets which are part of an established TCP 
connection i.e. the 3-way SYN-SYN/ACK-ACK has completed with no subsequent RST. 
  It also allows UDP packets from a source IP/port which was a destination 
within the past 30s.


-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw at ion.le.ac.uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555