Hi everyone, I have followed a simple SCTP server and SCTP client at http://simplestcodings.blogspot.com/2010/08/sctp-server-client-implementation-in-c.html It works well. Client and server can communicate successfully. Then I tried to set up an iptable rule to drop INIT package on server node iptables -A INPUT -p sctp -m conntrack --ctstate NEW -m sctp --chunk-types any INIT -j DROP It can drop and connection cannot establish from client anymore. However, when I tried to drop INIT_ACK sent from server by iptables -A OUTPUT -p sctp -m conntrack --ctstate NEW -m sctp --chunk-types any INIT_ACK -j DROP looks like it cannot drop INIT_ACK and connection from client is setup well. Could you please tell me if SCTP conntrack can drop INIT_ACK, COOKIE_ACK? My conntrack log does not show any INIT, INIT_ACK, COOKIE_ACK [NEW] sctp 132 3 src=199.569.9.50 dst=199.569.9.51 sport=57295 dport=62324 [UNREPLIED] src=199.569.9.51 dst=199.569.9.50 sport=62324 dport=57295 [UPDATE] sctp 132 3 src=199.569.9.50 dst=199.569.9.51 sport=57295 dport=62324 src=199.569.9.51 dst=199.569.9.50 sport=62324 dport=57295 [UPDATE] sctp 132 3 COOKIE_ECHOED src=199.569.9.50 dst=199.569.9.51 sport=57295 dport=62324 src=199.569.9.51 dst=199.569.9.50 sport=62324 dport=57295 [UPDATE] sctp 132 432000 ESTABLISHED src=199.569.9.50 dst=199.569.9.51 sport=57295 dport=62324 src=199.569.9.51 dst=199.569.9.50 sport=62324 dport=57295 [ASSURED] Is it expected? In tcp, conntrack log can show SYN_SENT/ SYN_RECEIVED. Brs, Naruto
