Hi. On Втр, 2005-08-02 at 13:59 -0500, John Lange wrote: > The problem is, quite a few packets are being dropped which I don't > think should be. > > iptables -P INPUT DROP > iptables -P OUTPUT DROP > > iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT > > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > With the above rules why does the following get blocked? > > ----- > Aug 2 13:04:47 HOST kernel: IN= OUT=eth0 SRC=XXX.XXX.XXX.XXX > DST=XXX.XXX.XXX.XXX LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=11945 DF > PROTO=TCP SPT=80 DPT=48473 WINDOW=1805 RES=0x00 ACK URGP=0 UID=501 > ----- > > This appears to be the return ACK of the inital SYN. Shouldn't that be > permitted under the above rules? No. IIUC your connection is in state NEW while it have not seen packets in both directions (man iptables). After syn packet have reached your host syn,ack packet should be sent to client. At this moment your connection is in state NEW. And your rules forbid OUTPUT packets in state NEW. Thus packet is dropped. Peter.
