# iptable explanation (SOLVED)

## JC99

Hello everyone,

Can someone explain to me what this iptable rule does...

 *Quote:*   

> iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 6277 -j ACCEPT

 

...the DCC spamassassin docs say I need to use it but I was just wondering exactly what it does?Last edited by JC99 on Mon Jan 25, 2010 7:32 pm; edited 1 time in total

----------

## ashtophet

As the wiki article you pointed implies, it just allows (-j ACCEPT) incoming (-A INPUT) UDP traffic from DCC port (-p udp --sport 6277) to the local machine (--dport 1024:65535).

man iptables

http://www.yourwebexperts.com/viewforum.php?f=35

----------

## cach0rr0

 *EvilEye wrote:*   

> Hello everyone,
> 
> Can someone explain to me what this iptable rule does...
> 
>  *Quote:*   iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 6277 -j ACCEPT 
> ...

 

in general, when client connects to server, the client opens a random high number source port, and connects to a fixed port on server; this rule is put into place so that the reply from the DCC servers - which will be sent from port 6277 to 1024-65535 or whichever random port your client opens - will be accepted. 

The traffic looks something like this:

eth0:12345 ===request===> dcc0:6277

eth0:12345 <==response=== dcc0:6277

Where 12345 is the random port your client has chosen as its source port. It will change on every request, so they suggest exempting all non-reserved ports. 

In the case of the client request, the destination port will be 6277

In the case of the server response, the source port will be 6277

No different than an HTTP request where it goes eth0:<randomport> ====> blah0:80 ====> eth0:<samerandomport>

They tell you to add this rule under the assumption that you allow all outbound traffic, but allow NO inbound traffic regardless of whether or not the inbound traffic is merely a response to a request you've made. 

Rather, think of a scenario where your firewall allowed a client to make a request to a web server, but blocked the inbound response FROM the web server. It is such a situation this rule is trying to account for. 

You may or may not need this rule, depending on your setup. 

Usually people will have an iptables rule that looks something like:

```
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

```

If you have such a rule, this should be sufficient and you need not add an explicit rule for DCC. I know my DCC has been working for some time at least without an explicit rule. 

Unless someone else comes in and points out some glaring error I missed, the aforementioned should be fine; but I'm open to learning something new.

----------

## JC99

cach0rr0, I do have that rule you mentioned so I won't use the DCC one.

Thanks for the explanations.

----------

