On Wed, 5 Sep 2007, Brendan Minish wrote:
> recompiling. Problem is that a rule like the following is not valid with
> such an old kernel
>> # ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Ick ick ick.
For TCP, just filter out the SYN and let TCP state engines in hosts
do the rest (those state engines are only ones that can actually do
it correctly!):
- Add a bunch of rules to accept whatever ports you want to
allow through, e.g.:
iptables -A whatever -p tcp --syn --dport X:Y -j ACCEPT
- Allow in all TCP without SYN:
iptables -A whatever -p tcp ! --syn -j ACCEPT
- Deny remaining TCP:
iptables -A whatever -p tcp -J REJECT
- Allow through ICMP:
iptabes -A whatever -p ipv6-icmp -j ACCEPT
- UDP unfortunately is difficult, you could just let through a small
set of UDP port and drop everything else, but a lot of DNS
resolvers wont do TCP.. So unfortunately, you need the state
module (though for UDP it just acts as a timer):
iptables -A whatever -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
regards,
--
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
Fortune:
SCSI Chain overterminated
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
