>I get quite a number of packets dropped as follows; This is packet from >my web server to a given host: > >Aug 8 01:20:12 venus kernel: IN= OUT=eth0 SRC=<myServerIP> >DST=<someHost> LEN=471 TOS=0x00 PREC=0x00 TTL=64 ID=13332 DF PROTO=TCP >SPT=80 DPT=10067 WINDOW=1716 RES=0x00 ACK PSH FIN URGP=0 >iptables -P OUTPUT DROP >iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >iptables -A OUTPUT -m state --state NEW -p tcp --sport 80 -j ACCEPT >iptables -A OUTPUT -p any -j LOG I wonder why ACK,PSH,FIN is not seen as ESTABLISHED... >So what is a packet with "ACK PSH FIN" set? It's the "I'm closing the connection now" packet. ACK seems to be set most of the times, so don't wonder. PSH is to force the packet out-the-door now, i.e. disable holding this packet for buffering. >I assume they are being >blocked because they are neither "SYN" nor part of an established >connection? But what are they and should they be allowed? I think they would match --state INVALID, but IMHO, they should not. Unless of course, someone's using RAW sockets and injecting in fact, invalid packets. (But that would bypass netfilter anyway, should not it?) Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/