On Thu, 24 Sep 2009, Jan Engelhardt wrote:
I looked at xt_stealth and it looks like -A INPUT -j sktest -A sktest -m socket -j RETURN -A sktest -j DROP can do just the same. Please tell me if I am wrong anywhere. That would mean there is no need for xt_stealth.
Yeah, thanks for suggestion. On 2.6.29.6 with iptables 1.4.4, tried: iptables -N opensocktest iptables -A opensocktest -m socket -j RETURN iptables -A opensocktest -j DROP iptables -A INPUT -j opensocktest Unfortunately, adding the last rule failed with message: ip_tables: socket match: bad hook_mask 0x2/0x1 in the KRB (is there something I do wrong, or do I need updated xt_socket)? At the moment, I'm stuck with 2.6.29.6; no chance to test with newer kernel. Btw, the manpage for 'socket' match should clearly specify that an 'open socket' means socket in either listening or established state. I was first puzzled by what 'open socket' really means... Balasz? Jan -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
