[Bug 693] SNAT is failing to maquerade some TCP RST packets

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Mon Dec 5 21:08:45 CET 2011


http://bugzilla.netfilter.org/show_bug.cgi?id=693





--- Comment #8 from Doug Smythies <dsmythies at telus.net>  2011-12-05 21:08:44 ---
(In reply to comment #5)
www at applejelly.org: If I understand your example correctly, you are trying to
make new TCP sessions in violation of the protocol. That senario is, in my
opinion, well documented (or at least better documented). Following is the
related segment of my iptables script:

# A NEW TCP connection requires SYN bit set and FIN,RST,ACK reset.
# Un-NAT'ed packets go out to internet without this rule.
# Sending RFC1918 packets to internet is considered poor form, by me anyhow.
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW
TCP no SYN:" --log-level info
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.



More information about the netfilter-buglog mailing list