John Lange john.lange at
Tue Aug 2 20:59:23 CEST 2005

I'm looking for some advice tuning iptables rules.

The problem is, quite a few packets are being dropped which I don't
think should be.

Here are the basic rules:

iptables -P INPUT DROP
iptables -P OUTPUT DROP

iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

With the above rules why does the following get blocked?

Aug  2 13:04:47 HOST kernel: IN= OUT=eth0 SRC=XXX.XXX.XXX.XXX
DST=XXX.XXX.XXX.XXX LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=11945 DF
PROTO=TCP SPT=80 DPT=48473 WINDOW=1805 RES=0x00 ACK URGP=0 UID=501

This appears to be the return ACK of the inital SYN. Shouldn't that be
permitted under the above rules?

Could it have something to do with the DF flag on the packet?

John Lange

More information about the netfilter mailing list