nat and dns

Jason Opperisano opie at
Fri Sep 24 00:16:05 CEST 2004

On Thu, 2004-09-23 at 18:02, Dimitar Katerinski wrote:
> Sorry, a little bit off topic, but I allways go red about such kind of crappy rules:
> > Use DNAT target.  In short what you need to do is:
> > 
> >    iptables -A FORWARD -m state --state NEW -j ACCEPT
> Do you know what you just did? You've just allowed any kind of
> connections, protocols to any port and from/to any destionation. Cute,
> isn't it? Remember, --state NEW, never ever have meant, and I doubt
> it'll ever mean that this is an tcp connection with only SYN bit set. It
> could be everyting, ACK,URG,PSH etc. So guess what, you just open a wide
> hole in your so called "firewall" machine. You better use --tpc-flags or
> --syn alias for such purposes. --state NEW can be used for redundant
> firewalling for example, but for me it has no use.

if you're going to go on a tirade about the problem with that rule, at
least point out the actual problem:  it doesn't specify the inbound
interface and/or source network(s):

  iptables -A FORWARD -i $INTERNAL_IF -m state --state NEW -j ACCEPT  

modifying it to use "-p tcp --syn" still allows all TCP traffic through
the FORWARD chain in both directions.


Jason Opperisano <opie at>

More information about the netfilter mailing list