<br><br><div><span class="gmail_quote">On 2/19/07, <b class="gmail_sendername">Alvin Chang</b> <<a href="mailto:alvin.chang@gmail.com">alvin.chang@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On 19/02/07, Indunil Jayasooriya <<a href="mailto:indunil75@gmail.com">indunil75@gmail.com</a>> wrote:<br>> WHY?<br>STOP USING CAPITLS, IT'S CONSIDERED SHOTING!</blockquote><div><br>instaed of CAPITALS, I used simple letters as below.
<br><br><br>iptables -A INPUT -i eth0 -d <a href="http://192.168.101.60">192.168.101.60</a> -p tcp -m state --state established,related -j ACCEPT<br><br>But I can not use -A INPUT as -a input, then it does not work. <br>
<br>Anyway, I would like to get more help as to this. <br><br><br> I want to know that does "-m state --state established,related -j ACCEPT" work for all tcp,udp and icmp protoclos ? or only for tcp. (for tcp. it works)
<br><br>I am testing below rule. It is udp.<br>iptables -A OUTPUT -p udp -o eth0 --dport 53 -m state --state NEW -j ACCEPT<br>when I have below rule for the above, it works. If I remove it, it will not. WHY?<br>iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
<br><br><span style="font-weight: bold;">pls note that I have already added below rule</span><br>iptables -A INPUT -i eth0 -d <a href="http://192.168.101.60">192.168.101.60</a> -p tcp -m state --state established,related -j ACCEPT
<br><br><br>Before you ask anything about IPtables, print out the results from<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">iptables -L. It could very well be that the order of your rules are
<br>MESSED UP!</blockquote><div><br>pls see below <br><br>[root@firebox rc.d]# iptables -L<br>Chain INPUT (policy DROP)<br>target prot opt source destination<br>ACCEPT tcp -- anywhere <a href="http://firebox.itabspl.com">
firebox.itabspl.com</a> state RELATED,ESTABLISHED<br>ACCEPT all -- localhost.localdomain localhost.localdomain<br>ACCEPT tcp -- anywhere <a href="http://firebox.itabspl.com">firebox.itabspl.com</a>
tcp dpt:ssh<br>ACCEPT tcp -- anywhere <a href="http://192.168.102.253">192.168.102.253</a> tcp dpt:ssh<br>ACCEPT icmp -- <a href="http://firebox.itabspl.com">firebox.itabspl.com</a> anywhere<br>
ACCEPT icmp -- <a href="http://192.168.102.0/24">192.168.102.0/24</a> <a href="http://192.168.102.253">192.168.102.253</a><br>ACCEPT icmp -- <a href="http://66.94.234.13">66.94.234.13</a> anywhere<br>
ACCEPT icmp -- <a href="http://64.233.189.104">64.233.189.104</a> anywhere<br>ACCEPT icmp -- <a href="http://203.143.4.1">203.143.4.1</a> anywhere<br>ACCEPT udp -- anywhere anywhere udp spts:traceroute:33523
<br>ACCEPT icmp -- anywhere anywhere icmp echo-reply<br>ACCEPT icmp -- anywhere anywhere icmp echo-request<br>ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
<br>ACCEPT icmp -- anywhere anywhere icmp time-exceeded<br>ACCEPT icmp -- anywhere anywhere icmp type 30<br><br>Chain FORWARD (policy DROP)<br>target prot opt source destination
<br>ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED<br>ACCEPT udp -- <a href="http://192.168.102.0/24">192.168.102.0/24</a> anywhere udp dpt:domain<br>ACCEPT udp -- anywhere
<a href="http://192.168.102.0/24">192.168.102.0/24</a> udp spt:domain<br>ACCEPT udp -- <a href="http://192.168.100.3">192.168.100.3</a> anywhere udp dpt:domain<br>ACCEPT udp -- anywhere
<a href="http://192.168.100.3">192.168.100.3</a> udp spt:domain<br>ACCEPT tcp -- <a href="http://192.168.102.25">192.168.102.25</a> anywhere multiport dports ssh,smtp,domain,http,https,pop3,imap
<br>ACCEPT tcp -- <a href="http://192.168.102.0/24">192.168.102.0/24</a> anywhere multiport dports http,https<br>ACCEPT tcp -- <a href="http://192.168.100.3">192.168.100.3</a> anywhere multiport dports smtp,http,https
<br>ACCEPT icmp -- <a href="http://192.168.102.25">192.168.102.25</a> <a href="http://64.233.189.104">64.233.189.104</a><br>ACCEPT icmp -- <a href="http://64.233.189.104">64.233.189.104</a> <a href="http://192.168.102.25">
192.168.102.25</a><br><br>Chain OUTPUT (policy DROP)<br>target prot opt source destination<br>ACCEPT all -- localhost.localdomain localhost.localdomain<br>ACCEPT tcp -- <a href="http://firebox.itabspl.com">
firebox.itabspl.com</a> anywhere tcp dpt:ssh<br>ACCEPT udp -- <a href="http://firebox.itabspl.com">firebox.itabspl.com</a> anywhere udp dpt:domain state NEW<br>ACCEPT tcp -- <a href="http://firebox.itabspl.com">
firebox.itabspl.com</a> anywhere tcp dpt:domain<br>ACCEPT tcp -- <a href="http://firebox.itabspl.com">firebox.itabspl.com</a> anywhere tcp spt:ssh<br>ACCEPT tcp -- <a href="http://192.168.100.253">
192.168.100.253</a> anywhere tcp spt:ssh<br>ACCEPT tcp -- <a href="http://192.168.102.253">192.168.102.253</a> anywhere tcp spt:ssh<br>ACCEPT icmp -- anywhere <a href="http://firebox.itabspl.com">
firebox.itabspl.com</a><br>ACCEPT icmp -- <a href="http://192.168.102.253">192.168.102.253</a> <a href="http://192.168.102.0/24">192.168.102.0/24</a><br>ACCEPT icmp -- anywhere <a href="http://66.94.234.13">
66.94.234.13</a><br>ACCEPT icmp -- anywhere <a href="http://64.233.189.104">64.233.189.104</a><br>ACCEPT udp -- anywhere anywhere udp dpts:traceroute:33523<br>ACCEPT icmp -- anywhere anywhere icmp echo-reply
<br>ACCEPT icmp -- anywhere anywhere icmp echo-request<br>ACCEPT icmp -- anywhere anywhere icmp destination-unreachable<br>ACCEPT icmp -- anywhere anywhere icmp source-quench
<br>ACCEPT icmp -- anywhere anywhere icmp parameter-problem<br>ACCEPT icmp -- anywhere anywhere icmp time-exceeded<br>ACCEPT icmp -- anywhere anywhere icmp type 30
<br>ACCEPT icmp -- anywhere <a href="http://203.143.4.1">203.143.4.1</a><br><br> </div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
--<br>Alvin Chang Yu-Ming<br>_______________________________________________<br>CentOS mailing list<br><a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br><a href="http://lists.centos.org/mailman/listinfo/centos">
http://lists.centos.org/mailman/listinfo/centos</a><br></blockquote></div><br><br clear="all"><br>-- <br>Thank you<br>Indunil Jayasooriya<br>