On Fri, 2004-11-19 at 04:31, Jochen Vogel wrote: > hi, > > i have the following forwarding rule > > $IPT -A FORWARD -i $INT -o $EXT -m state --state NEW,ESTABLISHED,RELATED -j > QUEUE > $IPT -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j > ACCEPT > > if i send an ACK with hping from INT to EXT it reaches the target system > > if i do > > $IPT -A FORWARD -i $INT -o $EXT -m state --state NEW -j ACCEPTLOG > $IPT -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED-j > ACCEPT > > i can see the following > > Nov 19 12:05:20 snolin kernel: ACPT IN=eth0 OUT=ppp0 SRC=1.1.1.1 DST=2.2.2.2 > LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=12368 PROTO=TCP SPT=2618 DPT=63 > WINDOW=512 RES=0x00 ACK URGP=0 > > did i have a false understanding from NEW or whats wrong you have a false understanding of NEW. NEW == packet does not match an entry in the conntrack table. there is a common misconception that "-m state --state NEW" performs some sort of intelligent enforcement on valid flag combinations (i.e only matches TCP SYN packets), which is simply not true. if you want this type of enforcement, write your rules like: iptables -A FORWARD -p tcp --syn -m state --state NEW [ ... ] which enforces that NEW packets must be SYN packets. -j -- "If something is to hard to do, then it's not worth doing." --The Simpsons
