I seem to be having a problem with the command line or program. I'm using iptables v1.2.5. I'm trying to use stateful packet insepection on outgoing packets. For example, if I tried to create a rule for port 80 outbound, here is an *example* what I've been entering:

iptables -m state -A OUTPUT -j ACCEPT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 80 --state ESTABLISHED

My problem is, it doesn't seem to be opening the same ports for return traffic. I've tried not only ESTABLISHED, but NEW and RELATED, both seperate and in combinations, with the same result.

I have all the appropriate kernel modules configured and they are loading (e.g., ip_tables, ip_conntrack, ipt_state, etc.) It doesn't work for any port than I can find... DNS, HTTP, FTP .. nothing.

Can anyone give me an idea as to why this doesn't work?

Try:


/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
iptables -A INPUT -p tcp -m state --state ESTABLISHED -s 0/0 --sport 80 -d your_firewalls_ip --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -s 0/0 --sport 1024:65535 -d 0/0 --sport 80 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT

from manpage:

--state state
Where state is a comma separated list of the connection states to match. Possible states are INVALID meaning that the packet is associated with no known connection, ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions, NEW meaning that the packet has started a new con*nection, or otherwise associated with a connection which has not seen packets in both directions, and RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.


/raz