Will --state NEW,ESTABLISHED,RELATED matches everything?
Anthony Liu
anthony@nexus-online.com
Wed, 18 Jul 2001 02:00:14 +0800
On Tue, Jul 17, 2001 at 09:11:08AM +0100, Nigel Morse wrote:
> > there is another state: INVALID ( meaning that the packet is
> > associated
> > with no known connection )
> > so any packets iptables deems as being INVALID will at this
> > point continue
> > along the chain.
>
> Which of course does beg the question that what becomes INVALID rather than
> NEW, as I belive that if a connection is dropped from the table for some
> reason, the next packet will be a NEW packet even if it only has the "ack"
> bit set (in tcp)
>
> The only case I've heard of so far for INVALID is if the connection table is
> full and nothing can be dropped - what else matches as INVALID??
First, thanks Ian and Soames for the answer.
As I understand it, logically INVALID rules out NEW/ESTABLISHED/RELATED.
Then, a packet deems INVALID is:
1) not starting a new connection;
2) not an answer packet or belongs to part of an on-going connection
3) all of the above
Here is another question for ICQ and IRC (file transfer) forwarding to
a masq box: according to the definition of RELATED, forwarding a packet
with --state ESTABLISHED,RELATED to masq box is all it needs to make
incoming ICQ file transfer to work, you don't even need to specify the
state NEW, right? For example:
iptables -A FORWARD -p tcp -i ppp0 --dport 20001:20020 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -i ppp0 --dport 20001:20020 \
-j DNAT --to 192.168.1.2
--
Linux 2.4.4fw #3 Thu Jun 21 21:29:13 CST 2001 i586 unknown
00:50:01 up 14 days, 45 min, 2 users, load average: 1.00, 1.03, 1.04