Thanks Peter. Perhaps you can help clarify this for me? According to http://www.knowplace.org/netfilter/ip_overview.html , the handshake procedure is as follows: 1. (B) --> [SYN] --> (A) 2. (B) <-- [SYN/ACK] <--(A) 3. (B) --> [ACK] --> (A) I read it as meaning that up until the end of step 2 the connection would be NEW. At the end of Step 2 and beyond the connection would be ESTABLISHED. A packet with just the "ACK" flag set can only be part of an established connection. quote "The important thing to note here is that after the three-way handshake is completed, and the connection is complete, every packet that is part of this TCP connection will always have the ACK bit set." So, my understanding is the only way a packet could be generated with the ACK flag set and the SRC as my server's IP is as part of an established connection. If that is the case then it should not be blocked because I have an OUTPUT rule which allows it. Where am I going wrong here? If I do: iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT Then all outbound packets are allowed so I definitely don't want that. -- John Lange On Tue, 2005-08-02 at 23:47 +0400, Peter Volkov Alexandrovich wrote: > Hi. > > On Втр, 2005-08-02 at 13:59 -0500, John Lange wrote: > > The problem is, quite a few packets are being dropped which I don't > > think should be. > > > > iptables -P INPUT DROP > > iptables -P OUTPUT DROP > > > > iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT > > > > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > With the above rules why does the following get blocked? > > > > ----- > > Aug 2 13:04:47 HOST kernel: IN= OUT=eth0 SRC=XXX.XXX.XXX.XXX > > DST=XXX.XXX.XXX.XXX LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=11945 DF > > PROTO=TCP SPT=80 DPT=48473 WINDOW=1805 RES=0x00 ACK URGP=0 UID=501 > > ----- > > > > This appears to be the return ACK of the inital SYN. Shouldn't that be > > permitted under the above rules? > > No. IIUC your connection is in state NEW while it have not seen packets > in both directions (man iptables). After syn packet have reached your > host syn,ack packet should be sent to client. At this moment your > connection is in state NEW. And your rules forbid OUTPUT packets in > state NEW. Thus packet is dropped. > > Peter. >
