ACK PSH blocked

Stephen J. Smoogen smooge at gmail.com
Mon Nov 7 19:27:40 CET 2005


On 11/4/05, Carlos Pastorino <carlos.pastorino at gmail.com> wrote:
> Hi everyone,
>
> My question is targeted to understanding Netfilter, because I know
> that the dropped packets are not impacting on the connection.
>
> My firewall is configured like this (showing only the important information):
>
> IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> IPTABLES -A FORWARD -p TCP -i $INET -o $LAN --syn --dport http -j ACCEPT
>
> and I've been noticing that packets with the ACK PSH flags set are
> dropped during the connection.
>
> I know that it's not because of the connection tracking, since the
> drops are occurring during the connection, not a long time after the
> connection, so they are definitely ESTABLISHED packets. And since
> ESTABLISHED packet should get through, I wonder why those are being
> blocked.

Are they really established? Or are they duplicates of existing
packets that are being dropped because they cant be 'established'
packets.

I think you would need to give more information about the stream to
figure out what the cause is.

--
Stephen J Smoogen.
CSIRT/Linux System Administrator



More information about the netfilter mailing list