On 2006-12-14, jwlargent <jwlargent@xxxxxxxxxxx> wrote: > I was trying to debug some errors in my iptables setup so I added the > following rules to my OUTPUT, just to see what packets were going out. > > iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -j ACCEPT > > When I do iptables -L OUTPUT -v it shows some packets are falling > through to the last rule. > Shouldn't the first rule catch all the packets? > No. There exists forth state called INVALID. E.g. TCP packet with ACK witch is not part of any tracked TCP connection is INVALID. Naturally, INVALID packets are ill packets and they shoudn't appear, but the reality is different. -- Petr
