On 2/19/07, Alvin Chang <alvin.chang at gmail.com> wrote: > > On 19/02/07, Indunil Jayasooriya <indunil75 at gmail.com> wrote: > > WHY? > STOP USING CAPITLS, IT'S CONSIDERED SHOTING! instaed of CAPITALS, I used simple letters as below. iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state established,related -j ACCEPT But I can not use -A INPUT as -a input, then it does not work. Anyway, I would like to get more help as to this. I want to know that does "-m state --state established,related -j ACCEPT" work for all tcp,udp and icmp protoclos ? or only for tcp. (for tcp. it works) I am testing below rule. It is udp. iptables -A OUTPUT -p udp -o eth0 --dport 53 -m state --state NEW -j ACCEPT when I have below rule for the above, it works. If I remove it, it will not. WHY? iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT pls note that I have already added below rule iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state established,related -j ACCEPT Before you ask anything about IPtables, print out the results from > iptables -L. It could very well be that the order of your rules are > MESSED UP! pls see below [root at firebox rc.d]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere firebox.itabspl.com state RELATED,ESTABLISHED ACCEPT all -- localhost.localdomain localhost.localdomain ACCEPT tcp -- anywhere firebox.itabspl.com tcp dpt:ssh ACCEPT tcp -- anywhere 192.168.102.253 tcp dpt:ssh ACCEPT icmp -- firebox.itabspl.com anywhere ACCEPT icmp -- 192.168.102.0/24 192.168.102.253 ACCEPT icmp -- 66.94.234.13 anywhere ACCEPT icmp -- 64.233.189.104 anywhere ACCEPT icmp -- 203.143.4.1 anywhere ACCEPT udp -- anywhere anywhere udp spts:traceroute:33523 ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp type 30 Chain FORWARD (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- 192.168.102.0/24 anywhere udp dpt:domain ACCEPT udp -- anywhere 192.168.102.0/24 udp spt:domain ACCEPT udp -- 192.168.100.3 anywhere udp dpt:domain ACCEPT udp -- anywhere 192.168.100.3 udp spt:domain ACCEPT tcp -- 192.168.102.25 anywhere multiport dports ssh,smtp,domain,http,https,pop3,imap ACCEPT tcp -- 192.168.102.0/24 anywhere multiport dports http,https ACCEPT tcp -- 192.168.100.3 anywhere multiport dports smtp,http,https ACCEPT icmp -- 192.168.102.25 64.233.189.104 ACCEPT icmp -- 64.233.189.104 192.168.102.25 Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- localhost.localdomain localhost.localdomain ACCEPT tcp -- firebox.itabspl.com anywhere tcp dpt:ssh ACCEPT udp -- firebox.itabspl.com anywhere udp dpt:domain state NEW ACCEPT tcp -- firebox.itabspl.com anywhere tcp dpt:domain ACCEPT tcp -- firebox.itabspl.com anywhere tcp spt:ssh ACCEPT tcp -- 192.168.100.253 anywhere tcp spt:ssh ACCEPT tcp -- 192.168.102.253 anywhere tcp spt:ssh ACCEPT icmp -- anywhere firebox.itabspl.com ACCEPT icmp -- 192.168.102.253 192.168.102.0/24 ACCEPT icmp -- anywhere 66.94.234.13 ACCEPT icmp -- anywhere 64.233.189.104 ACCEPT udp -- anywhere anywhere udp dpts:traceroute:33523 ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp type 30 ACCEPT icmp -- anywhere 203.143.4.1 -- > Alvin Chang Yu-Ming > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070219/1b6a3ed2/attachment-0005.html>