Peter Volkov Alexandrovich pvolkov at
Tue Aug 2 21:47:26 CEST 2005


On Втр, 2005-08-02 at 13:59 -0500, John Lange wrote:
> The problem is, quite a few packets are being dropped which I don't
> think should be.
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> With the above rules why does the following get blocked?
> -----
> Aug  2 13:04:47 HOST kernel: IN= OUT=eth0 SRC=XXX.XXX.XXX.XXX
> DST=XXX.XXX.XXX.XXX LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=11945 DF
> PROTO=TCP SPT=80 DPT=48473 WINDOW=1805 RES=0x00 ACK URGP=0 UID=501
> -----
> This appears to be the return ACK of the inital SYN. Shouldn't that be
> permitted under the above rules?

No. IIUC your connection is in state NEW while it have not seen packets
in both directions (man iptables). After syn packet have reached your
host syn,ack packet should be sent to client. At this moment your
connection is in state NEW. And your rules forbid OUTPUT packets in
state NEW. Thus packet is dropped.


More information about the netfilter mailing list