Indunil Jayasooriya
2007-Feb-20 03:30 UTC
Fwd: Fwd: [CentOS] HOW to enable traceroute with IPTABLES(SLOVED)
Hi all, That issue is over now. I found why my ESTABLISHED,RELATED rule at the top of INPUT chain did not work for udp and icmp. The reason was I have included the protocol as tcp as below iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT I removed -p tcp from above rule. Now it works for all protocols. Thanks for your support. ---------- Forwarded message ---------- From: Robert Spangler <lazydog at zoominternet.net> Date: Feb 20, 2007 2:45 AM Subject: Re: Fwd: [CentOS] HOW to enable traceroute with IPTABLES To: Indunil Jayasooriya <indunil75 at gmail.com> On Mon February 19 2007 00:00, you wrote:> I have included ESTABLISHED,RELATED at the top of your INPUT chain as > below > > #Allow established,related trafffic to come back > #(for OUTPUT traffic to come back) > iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state > ESTABLISHED,RELATED -j ACCEPT > > But without an INPUT statament it does not work. BUT for TCP OUTPUT > traffice , that will be appilicalbe. But other than tcp (i.e UPD and ICMP)> I will have to include a INPUT staement.I have no INPUT statements for any traffic that is started from my box. You will only need INPUT statements for traffic that originates from the internet that you want to connect to your box.> A few OUTPUT rules that I need INPUT statemet are give below. (not TCP) > > #UDP > iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT > iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPTYou don't need INPUT statesments for DNS unless you are expecting someone to connect to your box from the outside. ESTABLISHED,RELATED should take care of this for you.> #ICMP (for ping www.google.com) > > iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT > iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPTOK, here there are many diffierent kind of ICMP traffic To view what is avaliable try this: iptables -p icmp -h With the above INPUT statement you are allowing all types of ICMP packets into your system.> And this is for TCP ( it does not nedd a INPUT satatment .it works fine) > > iptables -A OUTPUT -p tcp -o eth0 --dport 22 -j ACCEPTThat is because the reply for the system you are SSH'ing to is already concidered an ESATBLISHED,RELATED connection which is handled by you ESTABLISHED,RELATED rule.> PLs expalin, why?I hope that might have cleared up some confusion you were/are having. -- Regards Robert Smile... it increases your face value! -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070220/cebb4764/attachment.html>