Problems with OUTPUT rules ESTABLISHED,RELATED
Peter Volkov Alexandrovich
pvolkov at mics.msu.su
Tue Aug 2 21:47:26 CEST 2005
On Втр, 2005-08-02 at 13:59 -0500, John Lange wrote:
> The problem is, quite a few packets are being dropped which I don't
> think should be.
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> With the above rules why does the following get blocked?
> Aug 2 13:04:47 HOST kernel: IN= OUT=eth0 SRC=XXX.XXX.XXX.XXX
> DST=XXX.XXX.XXX.XXX LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=11945 DF
> PROTO=TCP SPT=80 DPT=48473 WINDOW=1805 RES=0x00 ACK URGP=0 UID=501
> This appears to be the return ACK of the inital SYN. Shouldn't that be
> permitted under the above rules?
No. IIUC your connection is in state NEW while it have not seen packets
in both directions (man iptables). After syn packet have reached your
host syn,ack packet should be sent to client. At this moment your
connection is in state NEW. And your rules forbid OUTPUT packets in
state NEW. Thus packet is dropped.
More information about the netfilter