Hi, update to below help. with only below one rule, all tcp connection are hanging. "iptables -A INPUT -p TCP ! --syn -m state --state NEW -j DROP" How to reproduce ------------------------- 1. open more then one ssh session to the machine 2. iptables -P INPUT ACCEPT && iptables -F && iptables -X 3. service ip6tables stop 4. iptables -A INPUT -p TCP ! --syn -m state --state NEW -j DROP 5. service iptables restart ssh session will be terminated. I am using below operating system. root@ATCA-N6> uname -a Linux ATCA-N6 2.6.32-131.4.1.el6.x86_64 #1 SMP Fri Jun 10 10:54:26 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux root@ATCA-N6> Thanks and regards, Adishesh libnetfilter_conntrack-0.0.100-2.el6.x86_64 Thanks and regards, Adishesh On Wed, Aug 24, 2011 at 7:12 PM, Adishesh M <adisheshsm@xxxxxxxxx> wrote: > Hi, > When we insert below rules into the ip tables, ssh sessions are > hanging ( infact all tcp connection are terminated). > > “iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m > state --state NEW -j DROP”. > > what is the problem with this above rule. we used this rule to drop > bad tcp packets. when firewall is restarted using "service iptables > restart", ssh sessions are hanging. > > > Rule used for testing. > > ssh session hangs > <set 1> > -------------------------- > iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m > state --state NEW -j DROP > iptables -A INPUT -d 10.255.13.157 -m state --state > RELATED,ESTABLISHED -j ACCEPT > iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT > iptables -A INPUT -d 10.255.13.157 -j DROP > > > ssh session hangs > <set 2> > ---------------------------- > iptables -N TEST_LAN_1 > iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m > state --state NEW -j DROP > iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1 > iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state > RELATED,ESTABLISHED -j ACCEPT > iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT > iptables -A TEST_LAN_1 -d 10.255.13.157 -j DROP > > > > ssh session does not hang > <set 3> > --------------------------------------- > iptables -N TEST_LAN_1 > iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1 > iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state > RELATED,ESTABLISHED -j ACCEPT > iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT > iptables -A TEST_LAN_1 -d 10.255.13.157 -j DROP > > > ssh session does not hang > <set 4> > --------------------------------------- > iptables -A INPUT -d 10.255.13.157 -m state --state > RELATED,ESTABLISHED -j ACCEPT > iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT > iptables -A INPUT -d 10.255.13.157 -j DROP > > > steps to reproduce the this issue > ----------------------------------------------- > iptables -F > iptables -X > <Insert any one set of rules from set 1 or set 2 > > service ip6tables stop > service iptables save > iptables -L -n > service iptables restart > iptables -L -n > > Thanks and regards, > Adishesh > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
