Hello André, Thanks for your answer! > If you see under you can see that you have 2 hits on the rule for using the ICMP contra RST , because some client software will RETRY with 1 second delay . Indeed, I tcpdump'ed on my side as well and I had 2 ICMP messages separated by ~ 1 second, like you had. I tried to set a rule on a remote machine to reject with icmp port unreachable connections made on some port (but on the INPUT chain this time), and in this case connect() gave up at the first ICMP reply, so maybe he's missing the first one sent by iptables, not sure... > SIDENOTE : Typically when using TCP , it makes more sense to use "-j REJECT --reject-with tcp-reset" but doing otherwise is also OK , > I am not saying this is the solution to your issue but it will work as a almost 100% workaround for all TCP sessions . That is definitively a solution, at least for me, thanks a lot! Best regards, Renaud -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
