On Fri, 6 Jan 2017 16:28:31 +0000 Matt Killock <matt.killock@xxxxxxxxxxxx> wrote: > > Depends on your rule set. Check and fix it. The target usually works. > > As a test, I made the very first FORWARD rule this: > > iptables -A FORWARD -i eth1 -p tcp -s 192.168.20.0/24 -d 212.58.244.71 --dport 80 -j REJECT --reject-with tcp-reset Dumb question: can you reset a TCP conn that isn't ESTABLISHED? I don't think a TCP reset applies to the first SYN packet. Here are the rules I use when a conn passes outside its allowed time frame: -A timedaction -p tcp -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset -A timedaction -j REJECT --reject-with icmp-admin-prohibited When a packet is received for an established TCP conn, a reset is returned to the sender. Each direction is handled separately. Once a particular direction has been reset, it is no longer ESTABLISHED, and further packets in that direction are rejected with ICMP 'admin prohibited' packets. In short, each direction of established TCP conns is reset individually. All other conns, including each reset direction of TCP conns, are rejected via ICMP. N -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
