Problems with OUTPUT rules ESTABLISHED,RELATED
john.lange at open-it.ca
Tue Aug 2 22:58:46 CEST 2005
Perhaps you can help clarify this for me?
According to http://www.knowplace.org/netfilter/ip_overview.html , the
handshake procedure is as follows:
1. (B) --> [SYN] --> (A)
2. (B) <-- [SYN/ACK] <--(A)
3. (B) --> [ACK] --> (A)
I read it as meaning that up until the end of step 2 the connection
would be NEW. At the end of Step 2 and beyond the connection would be
A packet with just the "ACK" flag set can only be part of an established
connection. quote "The important thing to note here is that after the
three-way handshake is completed, and the connection is complete, every
packet that is part of this TCP connection will always have the ACK bit
So, my understanding is the only way a packet could be generated with
the ACK flag set and the SRC as my server's IP is as part of an
If that is the case then it should not be blocked because I have an
OUTPUT rule which allows it.
Where am I going wrong here?
If I do:
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Then all outbound packets are allowed so I definitely don't want that.
On Tue, 2005-08-02 at 23:47 +0400, Peter Volkov Alexandrovich wrote:
> On Втр, 2005-08-02 at 13:59 -0500, John Lange wrote:
> > The problem is, quite a few packets are being dropped which I don't
> > think should be.
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
> > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > With the above rules why does the following get blocked?
> > -----
> > Aug 2 13:04:47 HOST kernel: IN= OUT=eth0 SRC=XXX.XXX.XXX.XXX
> > DST=XXX.XXX.XXX.XXX LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=11945 DF
> > PROTO=TCP SPT=80 DPT=48473 WINDOW=1805 RES=0x00 ACK URGP=0 UID=501
> > -----
> > This appears to be the return ACK of the inital SYN. Shouldn't that be
> > permitted under the above rules?
> No. IIUC your connection is in state NEW while it have not seen packets
> in both directions (man iptables). After syn packet have reached your
> host syn,ack packet should be sent to client. At this moment your
> connection is in state NEW. And your rules forbid OUTPUT packets in
> state NEW. Thus packet is dropped.
More information about the netfilter