iptables
Nigel Wade
nmw at ion.le.ac.uk
Fri Sep 15 15:51:52 UTC 2006
John O'Loughlin wrote:
>
>>
>> ESTABLISHED,RELATED allows packets which are part of an established
>> TCP connection i.e. the 3-way SYN-SYN/ACK-ACK has completed with no
>> subsequent RST. It also allows UDP packets from a source IP/port
>> which was a destination within the past 30s.
>
>
> The ESTABLISHED state doesn't just apply to packets in an established
> tcp connection though, it also allows packets which are part of the
> initial connection exchange, the syn-ack packet, otherwise you would
> also need rules to allow out these packets.
>
True, this is needed to allow the SYN-ACK back in. The initial outgoing SYN
requires an explicit OUTPUT ACCEPT somewhere in the chain.
You can see the ip_conntrack module working in /proc/net/ip_conntrack
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw at ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
More information about the redhat-list
mailing list