[ale] iptables issue

Jason Lunz lunz at falooley.org
Mon Jul 17 16:09:57 EDT 2006


jknapka at kneuro.net said:
>>>> I have an issue wrt iptables.  I use iptables to allow/deny access to a 
>>>> website.  The tables are intended to allow all in to port 80 at address 
>>>> WW.XX.YY.ZZ, and all replies back out from port 80 on same address.
>>>>
>>>> The command line used to create the rules is this:
>>>>
>>>> iptables -A INPUT -p tcp -d WW.XX.YY.ZZ --dport http
>>>>       -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>>>> iptables -A OUTPUT -p tcp -s WW.XX.YY.ZZ --sport http
>>>>       -m state --state RELATED,ESTABLISHED -j ACCEPT
>> 
>> 
>> the second rule is superfluous. It's implied by the ESTABLISHED in the
>> first rule.
>
> But you now seem to be saying something different?

You're right, it was incorrect to say the second rule was superfluous.
I was assuming the presence of a "allow-established" rule in both
directions, which is typical for stateful firewalls.

The stateless parts on OUTPUT *are* unneeded - you can remove all
matches from that second rule except "-m state --state
RELATED,ESTABLISHED" and accomplish pretty much the same thing. My point
was mainly that he probably doesn't want to mix the two styles of
firewalling. it's an indication there may be some confusion.

Jason




More information about the Ale mailing list