On Sunday 15 December 2002 09:50 am, Jon Wyatt wrote: > It appears that yahoo is sending an ACK which I'm blocking (because > it's not part of an initialisation), unless I've misunderstood the > communication process. > > Here's the rules where I set them:- > $IPTABLES -N bad_tcp_packets > $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j > LOG --log-prefix "New not syn:" > $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j > DROP > > > > And here's the message I get when yahoo attempts to send the ACK. > > New not syn:IN=ppp0 OUT= MAC= SRC=212.158.*.* DST=217.135.*.* LEN=52 > TOS=0x00 PREC=0x00 TTL=63 ID=27155 PROTO=TCP SPT=80 DPT=32782 > WINDOW=8760 RES=0x00 ACK RST URGP=0 > > What's going on there then? I think the question should be "Why is this NEW?" Dest IP must be correct for you to get it, and sourceport is as well. Is it coming from a different IP? Or to a different destport? Or does netfilter think the connection has closed? Something must be different for the state machine to consider it NEW. Is this from the firewall machine, or forwarded through it with SNAT or MASQ? BTW, when I try this rule as first rule in my INPUT chain, it does NOT hit when I do a Yahoo search, the search works fine. Is there something more particular about your search, or is it just "yahoo.com" and enter some text to search for? j
