I'm looking for some advice tuning iptables rules. The problem is, quite a few packets are being dropped which I don't think should be. Here are the basic rules: iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT With the above rules why does the following get blocked? ----- Aug 2 13:04:47 HOST kernel: IN= OUT=eth0 SRC=XXX.XXX.XXX.XXX DST=XXX.XXX.XXX.XXX LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=11945 DF PROTO=TCP SPT=80 DPT=48473 WINDOW=1805 RES=0x00 ACK URGP=0 UID=501 ----- This appears to be the return ACK of the inital SYN. Shouldn't that be permitted under the above rules? Could it have something to do with the DF flag on the packet? -- John Lange
