Re: iptables question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mar 11 2008 15:20, bossk wrote:
>
>1. iptables -A allowed -p TCP --syn -j ACCEPT
>2. iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
>3. iptables -A allowed -p TCP -j DROP
>
>Regarding rule 2.  the connections is ESTABLISHED and no packets should be 
>dropped.
>
>But in the drop log it looks quite different
>IN= OUT=eth0 SRC=10.3.4.14 DST=10.3.4.2 LEN=52 TOS=0x00 PREC=0x00 TTL=64 
>ID=20094 DF PROTO=TCP SPT=42884 DPT=3128 WINDOW=4 RES=0x00 ACK URGP=0

Well then this packet did not belong to a known connection,
was forged, or anything like that.

That is why I would also combine -p tcp --syn with additionally
-m conntrack --ctstate NEW.
Needless to say that RELATED will never be considered because
you already allow all connections with --syn.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux