I do have such a rule at the top of the rule set. Sorry I did not provide more context. The basic structure of my rule set is: 1. Deny some known bad packet types. 2. Accept ESTABLISHED, RELATED traffic. 3. Accept rules of various sorts (such as the memcached rules). 4. Deny all (catch all rule). I'm not an iptables newbie - I have used it for years and understand its basic operation. All my other rules work perfectly. This is why I am perplexed as to the memcached rules not working as expected and why I suspect a bug of some sort. Thanks, Sam On Sat, Dec 13, 2008 at 7:14 AM, Filipe Brandenburger <filbranden@xxxxxxxxx> wrote: > Hi, > > On Fri, Dec 12, 2008 at 18:28, Art Age Software <artagesw@xxxxxxxxx> wrote: >> IPTABLES -A INPUT -i bond0 -p tcp -m tcp -s 192.168.1.0/24 -d >> 192.168.1.0/24 --dport 11211 -m state --state NEW -j ACCEPT >> >> s1 kernel: DROP -- Catch All: IN=bond0 OUT= SRC=192.168.1.2 >> DST=192.168.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=6467 DF PROTO=TCP >> SPT=51837 DPT=11211 WINDOW=202 RES=0x00 ACK FIN URGP=0 > > To use stateful rules, you must have rules for state ESTABLISHED too, > otherwise it will only allow the first packet and not the all others. > The first rule should always be: > > iptables -A ... -i bond0 -m state --state ESTABLISHED,RELATED -j ACCEPT > > That's the point of stateful rules, you match the rules further down > for new connections, but existing connections will always match the > first rule. > > You should google for "iptables stateful" and try to get a better > explanation of what it is and how it works. > > HTH, > Filipe > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos