Hi all,
That issue is over now. I found why my ESTABLISHED,RELATED rule at the top of INPUT chain did not work for udp and icmp.
The reason was I have included the protocol as tcp as below iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
I removed -p tcp from above rule. Now it works for all protocols.
Thanks for your support.
---------- Forwarded message ---------- From: Robert Spangler lazydog@zoominternet.net Date: Feb 20, 2007 2:45 AM Subject: Re: Fwd: [CentOS] HOW to enable traceroute with IPTABLES To: Indunil Jayasooriya indunil75@gmail.com
On Mon February 19 2007 00:00, you wrote:
I have included ESTABLISHED,RELATED at the top of your INPUT chain as below
#Allow established,related trafffic to come back #(for OUTPUT traffic to come back) iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
But without an INPUT statament it does not work. BUT for TCP OUTPUT traffice , that will be appilicalbe. But other than tcp (i.e UPD and ICMP
)
I will have to include a INPUT staement.
I have no INPUT statements for any traffic that is started from my box. You will only need INPUT statements for traffic that originates from the internet that you want to connect to your box.
A few OUTPUT rules that I need INPUT statemet are give below. (not TCP)
#UDP iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
You don't need INPUT statesments for DNS unless you are expecting someone to connect to your box from the outside. ESTABLISHED,RELATED should take care of this for you.
#ICMP (for ping www.google.com)
iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT
OK, here there are many diffierent kind of ICMP traffic To view what is avaliable try this:
iptables -p icmp -h
With the above INPUT statement you are allowing all types of ICMP packets into your system.
And this is for TCP ( it does not nedd a INPUT satatment .it works fine)
iptables -A OUTPUT -p tcp -o eth0 --dport 22 -j ACCEPT
That is because the reply for the system you are SSH'ing to is already concidered an ESATBLISHED,RELATED connection which is handled by you ESTABLISHED,RELATED rule.
PLs expalin, why?
I hope that might have cleared up some confusion you were/are having.
--
Regards Robert
Smile... it increases your face value!