I have been looking on the web about this now all day .. still nothing .. is there anyone out there who has experienced this problem ???? Any help would be greatly appreciated. Thanks again, Peter Marshall ----- Original Message ----- From: "Peter Marshall" <peter.marshall@xxxxxxxxx> To: "netfilter" <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Wednesday, August 11, 2004 6:00 PM Subject: RST packets I am having a problem now where I am getting RST packets being blocked from my internal network heading out to the external network. It looks like RST packets are used to stop a TCP connection when there is a problem. The setup is like this: I have a web box in my dmz that people connect to. A mod-jk connection is made through my firewall, and the responses are allowed back with the standard ESTABLISHED,RELATED allow on the Forward chain. I guess I was wondering why I was getting a bunch of RST packets and also, why the firewall was blocking them. Would they not be part of the ESTABLISED-RELATED chain ? Here are the relevant rules. $IPT -A FORWARD -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -s $WEB_BOX_IP -I eth1 -j web-int $IPT -A web-int -d 192.168.202.168 -p tcp --dport 8009:8020 -j ACCEPT I do have a chain for int-web ... which is used to connect to a webserver running on it ..(and it rejects everything else). This is the chain that the RST packet is making it too and is then getting rejected. However, I did not think that the packet should reach this chain as it is related (or establised) to the web-int connection ... Any suggestions would be greatly appreciated. My network set up is a DMZ between two firewalls. The web box is in the DMZ. The "int" in my chains is my internal network. the internal network is separated form the DMZ by a firewall. Peter Marshall
