ACK PSH blocked

Stephen J. Smoogen smooge at
Mon Nov 7 19:27:40 CET 2005

On 11/4/05, Carlos Pastorino <carlos.pastorino at> wrote:
> Hi everyone,
> My question is targeted to understanding Netfilter, because I know
> that the dropped packets are not impacting on the connection.
> My firewall is configured like this (showing only the important information):
> IPTABLES -A FORWARD -p TCP -i $INET -o $LAN --syn --dport http -j ACCEPT
> and I've been noticing that packets with the ACK PSH flags set are
> dropped during the connection.
> I know that it's not because of the connection tracking, since the
> drops are occurring during the connection, not a long time after the
> connection, so they are definitely ESTABLISHED packets. And since
> ESTABLISHED packet should get through, I wonder why those are being
> blocked.

Are they really established? Or are they duplicates of existing
packets that are being dropped because they cant be 'established'

I think you would need to give more information about the stream to
figure out what the cause is.

Stephen J Smoogen.
CSIRT/Linux System Administrator

More information about the netfilter mailing list