From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.54)
	id 1FBb78-0003eU-Gd
	for garchives@archives.gentoo.org; Tue, 21 Feb 2006 17:15:50 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.5/8.13.5) with SMTP id k1LHEl2r012043;
	Tue, 21 Feb 2006 17:14:47 GMT
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20])
	by robin.gentoo.org (8.13.5/8.13.5) with SMTP id k1LHAc5Y014242
	for <gentoo-user@lists.gentoo.org>; Tue, 21 Feb 2006 17:10:38 GMT
Received: (qmail invoked by alias); 21 Feb 2006 17:10:38 -0000
Received: from N597P008.adsl.highway.telekom.at (EHLO [192.168.1.20]) [62.47.18.136]
  by mail.gmx.net (mp033) with SMTP; 21 Feb 2006 18:10:38 +0100
X-Authenticated: #787166
Message-ID: <43FB4A03.6000000@gmx.net>
Date: Tue, 21 Feb 2006 18:12:35 +0100
From: Jarry <jarry@gmx.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728
X-Accept-Language: en-us, en, sk
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] iptables: --state/--syn
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-Archives-Salt: 44b3cc57-5689-4aa5-b115-1054c503db4c
X-Archives-Hash: f6477f73826e7770e7e0f59cf5fb2c9e

Hi,

I'm trying to configure some basic iptables rules, and came across
to "state" module. Could someone please explain me, what is the main
difference between using "--state ESTABLISHED" and "!--syn" options
in iptables?


I thought I will define rules for incomming ssh-connections as:

iptables -A INPUT  --sport 1024:65535 -d $MY_IP --dport 22 -p tcp -j ACCEPT
iptables -A OUTPUT -s $MY_IP --sport 22 --dport 1024:65535 -p tcp !--syn -j ACCEPT

If I substitute the second rule with:

iptables -A OUTPUT -s $MY_IP --sport 22 --dport 1024:65535 -p tcp -m state
--state ESTABLISHED -j ACCEPT

would it be the same? Or should I combine --state ESTABLISHED with !--syn ?

Jarry
-- 
gentoo-user@gentoo.org mailing list