On Wed, 27 Apr 2005, Stian B. Barmen wrote: > In the code I added at the end of INPUT, FORWARD and the redirected DMZ > chain the following: > > iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset > iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset > iptables -A DMZ -p tcp -j REJECT --reject-with tcp-reset > > I removed the --reject-with tcp-reset on each line and the problem > dissapeard. > > The strange thing is that this communication should never reach this > rule. When the communcation is established it should hit the rule: > > -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > > Should it not? (this rule runs before the -j DMZ and I have another one > for INPUT). Then there were packets flagged as INVALID by conntrack, which are of course not matched by the states above. The reject line however matched them and dutifully generated the RST segment, which tore down the connection. > I have no explanation for this behaviour. Will try to log and see what I > can find but for now this is all I know. Enable logging invalid packets by echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid and make sure ipt_LOG is loaded in. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
