Re: Doubts with iptables (or ipchains)

From: Pierre Asselin (pa@panix.com)
Date: 04/22/03


From: Pierre Asselin <pa@panix.com>
Date: Tue, 22 Apr 2003 00:57:54 +0000 (UTC)

Kasper Dupont <kasperd@daimi.au.dk> wrote:
> Carlos Moreno wrote:
>>
>> How do I state a rule that distinguishes packets
>> requesting a connection to port 80 (or 25, or
>> whatever) of the gateway box (to drop those) from
>> packets that are simply coming as a reply to a
>> communication on port 80?

> You can do that with iptables, you cannot do that
> with ipchains.

Since this is for TCP, ipchains can do it by looking at the SYN flag.
An ipchains rule with "-p tcp ! -y -j ACCEPT" will accept replies
but not connection attempts.

That said, I agree that iptables is better.



Relevant Pages

  • Re: A Question On Ipchains Input Rules
    ... If RH72 allows using iptables instead of ipchains, ... return packets for any established connections, ... outbound SMTP sessions, you just allow outbound SMTP, and the ...
    (comp.os.linux.security)
  • Ipchains masquerading and NETBIOS
    ... I need to filter packets directed to a Windows NT server, ... as a masquerading firewall with two network interface cards to ... In the firewall logs there is no trace of the denied netbios packets, ... I have always controlled with "ipchains -L" the ...
    (comp.security.firewalls)
  • Ipchains masquerading and NETBIOS
    ... I need to filter packets directed to a Windows NT server, ... as a masquerading firewall with two network interface cards to ... In the firewall logs there is no trace of the denied netbios packets, ... I have always controlled with "ipchains -L" the ...
    (comp.security.firewalls)
  • Re: Doubts with iptables (or ipchains)
    ... > (well, I guess the moral is to just not use ipchains, ... Usually in TCP connection the very first packet ... know with quite good accuracy which packets will ... The INPUT chain is ...
    (comp.os.linux.security)
  • Re: ipchains problem - allow forward but not input
    ... >> I wonder if it is possible to configure my machine to allow forwarding ... >> to all packets but not input. ... > ipchains -P input DENY ... dying on the input chain, ...
    (comp.os.linux.security)