Do you know the conntrack tool?
conntrack -D...
2011-01-18 18:50 keltezéssel, Alessandro Vesely írta:
Having tried it, it's rather tricky. The behavior depends on when the
connection is deleted. For example, with
# input rule meant to drop incoming packets
iptables -A INPUT -m conntrack --ctstate NEW -p tcp ! --syn\
-j DROP
and
# output rule to reset connections to the local server
iptables -A OUTPUT -m conntrack --ctstate NEW -p tcp ! --syn\
-j REJECT --reject-with tcp-reset
I do not think that the outgoing packets will be sent without a SYN...
But you may check it.
the connection is most likely deleted after the local server has sent
a reply but before the remote client sends a further commands. In
this case the server will timeout waiting for those dropped input packets.
I tried removing that input rule. That way the relevant packets are
accepted, but server's reply packets in the OUTPUT table are marked
ESTABLISHED again.
I tried using connmark, as in
iptables -A INPUT -m conntrack --ctstate NEW -p tcp ! --syn\
-j CONNMARK --or-mark 8
and
iptables -A OUTPUT -m connmark --mark 8/8 -p tcp ! --syn\
-j REJECT --reject-with tcp-reset
However, the latter rule never matched. Is it the wrong table?
Do you have more connmark rules? Maybe something interferencing whit
these rules...
Swifty
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
