Hello, I try to implement the command "--cmd-owner" for some services in the "filter" table. When I do so the corresponding services do not terminate correctly any more. For example I opened an SSH connection and terminated it after the successful login with the "logout" command. Afterwards on the servers side "ps" and "netstat" says the connection is still alive. On the client side "netstat" says "FIN ACK", "LAST ACK", "CLOSING" and I get some log entries in "messages". The necessary iptables-rules at client-side: iptables -A OUTPUT -m owner --cmd-owner "ssh" -p tcp -s CLIENT -d SERVER --sport 1024:65535 --dport 22 -j ACCEPT iptables -A INPUT -p tcp -s SERVER -d CLIENT --sport 22 --dport 1024:65535 -j ACCEPT Some of the drop-log entries at client-side: Aug 9 15:29:54 CLIENT kernel: DROP IN= OUT=eth0 SRC=CLIENT DST=SERVER LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=129 DF PROTO=TCP SPT=33442 DPT=22 WINDOW=24752 RES=0x00 ACK URGP=0 Aug 9 15:29:55 CLIENT kernel: DROP IN= OUT=eth0 SRC=CLIENT DST=SERVER LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=130 DF PROTO=TCP SPT=33442 DPT=22 WINDOW=24752 RES=0x00 ACK URGP=0 Aug 9 15:29:55 CLIENT kernel: DROP IN= OUT=eth0 SRC=CLIENT DST=SERVER LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=131 DF PROTO=TCP SPT=33442 DPT=22 WINDOW=24752 RES=0x00 ACK URGP=0 So I would say the boolean #--cmd-owner "ssh"# is immediately invalid. So the client cannot inform the server about the closing. Does anybody have an idea to let only the missing packets passing? Kind regards Daniel -- NEU: WLAN-Router für 0,- EUR* - auch für DSL-Wechsler! GMX DSL = supergünstig & kabellos http://www.gmx.net/de/go/dsl
