On Sun, Sep 25, 2011 at 02:59:15PM +0200, U.Mutlu wrote:
> I made a funny observation:
>
> client sends a tcp SYN packet to a served port on server,
> server answers with ACK SYN,
> client sends ACK RST to abort the 3-way-handshake.
>
> When logging these sequences with the following commands:
> iptables -A INPUT -p tcp --tcp-flags SYN SYN -j LOG --log-prefix "SYN IN "
> iptables -A OUTPUT -p tcp --tcp-flags SYN SYN -j LOG --log-prefix "SYN OUT "
> iptables -A INPUT -p tcp --tcp-flags RST RST -j LOG --log-prefix "RST IN "
> iptables -A OUTPUT -p tcp --tcp-flags RST RST -j LOG --log-prefix "RST OUT "
> then one sees that the "ACK RST" gets logged only as a "RST".
This behaviour is correct according to your rule-set.
> Is this perhaps a bug of iptables or its log module?
If you want to catch the ACK,RST case, you need to:
iptables -A OUTPUT -p tcp --tcp-flags ACK,RST RST \
-j LOG --log-prefix "ACK, RST OUT "
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
