Hello, Latest CentOS 7.6.1810 running on VMware with a single vmxnet3 NIC. No NAT and no fw between both servers. % uname -a Linux WEB01 3.10.0-957.12.1.el7.x86_64 #1 SMP Mon Apr 29 14:59:59 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux % iptables -V iptables v1.4.21 Below is my ruleset allowing WEB01 to access the proxy: ### iptables=`which iptables` iface="ens192" $iptables -A FORWARD -j DROP $iptables -A INPUT -i lo -j ACCEPT $iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $iptables -A INPUT -m conntrack --ctstate INVALID -j DROP $iptables -A INPUT -m addrtype --dst-type MULTICAST -j DROP $iptables -A INPUT -m addrtype --dst-type BROADCAST -j DROP $iptables -A INPUT -j LOG --log-level info --log-prefix "IPTABLES-INPUT-DROP> " $iptables -A INPUT -j DROP $iptables -A OUTPUT -p tcp --syn --dport 3128 -m state --state NEW -d 10.9.49.31 -j ACCEPT $iptables -A OUTPUT -o lo -j ACCEPT $iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP $iptables -A OUTPUT -j LOG --log-level info --log-prefix "IPTABLES-OUTPUT-DROP> " $iptables -A OUTPUT -j DROP ### I see occasional drops in the logs as per below: May 16 01:53:45 WEB01 kernel: IPTABLES-OUTPUT-DROP> IN= OUT=ens192 SRC=10.9.49.52 DST=10.9.49.31 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=62432 DF PROTO=TCP SPT=49350 DPT=3128 WINDOW=432 RES=0x00 ACK PSH URGP=0 May 16 01:53:46 WEB01 kernel: IPTABLES-OUTPUT-DROP> IN= OUT=ens192 SRC=10.9.49.52 DST=10.9.49.31 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=11155 DF PROTO=TCP SPT=49336 DPT=3128 WINDOW=364 RES=0x00 ACK PSH URGP=0 May 16 05:16:22 WEB01 kernel: IPTABLES-OUTPUT-DROP> IN= OUT=ens192 SRC=10.9.49.52 DST=10.9.49.31 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=33163 DF PROTO=TCP SPT=49254 DPT=3128 WINDOW=364 RES=0x00 ACK PSH URGP=0 It doesn't seem that it has an impact (I can access the proxy from WEB01), but I was wondering why ACK PSH doesn't fall into ESTABLISHED? My case looks similar to https://lists.netfilter.org/pipermail/netfilter/2005-August/062059.html although I don't see FIN. Any hints would be greatly appreciated. Thank you.
