[Openswan Users] Re: Netfilter/conntrack
Trevor Hennion
trevor-os at thennion.demon.co.uk
Fri Jan 21 22:00:12 CET 2005
On Friday 21 January 2005 20:07, Jason Sigurdur wrote:
> My external interface is eth0, how are 'new' ipESP connections going
> throught the
> Established relateded rule?
>
>
> iptables -A IN_ETHX -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A IN_ETHX -i ! eth0 -m state --state NEW -j ACCEPT
> iptables -A IN_ETHX -p udp -i eth0 --dport 500 -j ACCEPT
>
> iptables -A IN_ETHX -p 51 -i eth0 -j ACCEPT
> iptables -A IN_ETHX -p 50 -i eth0 -j ACCEPT
> iptables -A IN_ETHX -m limit --limit 1/s -j LOG \
> --log-level info --log-prefix "DROPPED_IN_ETHX: "
> iptables -A IN_ETHX -j DROP
>
> Thx jason
>
Jason,
Does your third line:
iptables -A IN_ETHX -p udp -i eth0 --dport 500 -j ACCEPT
not override the following rules for protocols 50 and 51? Are they not both
UDP protocols which are already accepted by your third line?
Regards
Trevor Hennion
http://www.Infocentrality.co.uk
More information about the Users
mailing list