So it looks like SACK issue - you can verify it by disabling SACK support (/proc/sys/net/ipv4/tcp_sack, preferably at both sides) and running your original rule sets. Does the ssh connection still hang?
Good call. No hangs if SACK is disabled. Carl -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
