On Mar 11 2008 15:20, bossk wrote: > >1. iptables -A allowed -p TCP --syn -j ACCEPT >2. iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT >3. iptables -A allowed -p TCP -j DROP > >Regarding rule 2. the connections is ESTABLISHED and no packets should be >dropped. > >But in the drop log it looks quite different >IN= OUT=eth0 SRC=10.3.4.14 DST=10.3.4.2 LEN=52 TOS=0x00 PREC=0x00 TTL=64 >ID=20094 DF PROTO=TCP SPT=42884 DPT=3128 WINDOW=4 RES=0x00 ACK URGP=0 Well then this packet did not belong to a known connection, was forged, or anything like that. That is why I would also combine -p tcp --syn with additionally -m conntrack --ctstate NEW. Needless to say that RELATED will never be considered because you already allow all connections with --syn. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
