iptables: accepting SYN --> connection ESTABLISHED
William Park
opengeometry-FFYn/CNdgSA at public.gmane.org
Wed Oct 8 22:21:32 UTC 2003
On Wed, Oct 08, 2003 at 04:21:18PM -0400, Robert Brockway wrote:
> On Wed, 8 Oct 2003, William Park wrote:
>
> > If I accept TCP initiation by accepting packet with SYN bit, ie.
> > iptables ... --syn -j ACCEPT
> > does that mean that the connection is now considered established?
> >
> > This would mean that I can match subsequent packets with something like
> > iptables ... --state ESTABLISHED -j ACCEPT
> > right?
>
> If you use ip_conntrack the state is taken care of for you (and you can
> use the "--state" line above.
'ipt_state' is the top level module for state stuffs, and 'modprobe'
takes care of dependency.
> I would avoid accepting an arbitrary packet with the TCP SYN bit set.
Yes, I only do this for port 25. I first accept SYN packet, but drop
all subsequent packets. But, I also allow ESTABLISHED connections in
general. So, having accepted SYN packet, the SMTP connection is now
established. Hence, every mail comes through. :-(
That was my confusion.
--
William Park, Open Geometry Consulting, <opengeometry-FFYn/CNdgSA at public.gmane.org>
Linux solution for data management and processing.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list