Hello to ALL! I'm slightly confused about the values of the --ctdir option. If I understand correctly, the ORIGINAL direction is from the initiator to the replier, and the REPLY is the other way around. If so, suppose the following rules: -A INPUT -p tcp -s 1.1.1.1 -d 2.2.2.2 -m conntrack --ctstate NEW --ctdir ORIGINAL -j LOGMARK -A INPUT -p tcp -s 1.1.1.1 -d 2.2.2.2 -m conntrack --ctstate NEW --ctdir ORIGINAL -j DROP Then I send a SYN packet from 1.1.1.1 to 2.2.2.2. I assume this is the ORIGINAL direction. So I expect my request to be logged against the LOGMARK target and then dropped. But nothing happens. Then I change --ctdir ORIGINAL to --ctdir REPLY and repeat my test. Now I see exactly what I expected: dropped connection and LOGMARK output. But with the REPLY value of the --ctdir option. By the way, in the LOGMARK output I see: hook = INPUT ... ctdir = ORIGINAL ... ctstate = NEW And I agree with that. This is really ORIGINAL direction, not REPLY. So where am I going wrong?