--state NEW -j DROP (would be great)
Henrik Nordstrom
hno at marasystems.com
Wed Oct 26 07:47:36 CEST 2005
On Wed, 26 Oct 2005, Sylvan Andrew wrote:
> Hello,
>
> Could somebody please explain the 'iptables -A INPUT -eth0 -m state --state
> NEW -j DROP' a bit more for me ? I understand that it won't allow any
> outside initiated inbound connections into a network.
Correct.
> However occasionally if
> I'm doing a tcpdump we see things like:
>
> 21:04:48.935367 IP 82.29.180.221.15378 > 213.17.40.204.4154: R 0:0(0) ack 1
> win 0
These are INVALID, not part of any connection.
So if you use
-i eth0 -m state --state NEW,INVALID -j DROP
you should see the expected result..
Regards
Henrik
More information about the netfilter
mailing list