[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: REJECT rules with tcp-reset.

I don't know if the status has changed but last summer this was a hot spot
on one of the ipfillter lists.  It seams that no one(the expert
developers) want(s) tcp-reset, howerver BSD's netfilter can do this.  I at
the time was doing some reserch on this subject and found that there is no
database of how programs handel reject msgs.

A closed port dose cause a tcp-reset to be returned, so you could use
dnat.  I don't know if --reject-with BLAH will look EXACTLY like the
kernel generated equivelent, but since closed ports do rst filtered ports
will allways look filtered by nmap.

--- Egor Tur <worldeb@inet.ua> wrote:
> Hi folk.
> How can I correctly create rules with REJECT and tcp-reset.
> If I do
> iptables -A INPUT -i eth0 -p tcp --sport 1024: -d MY.IP --dport 113 -j
> --reject-with tcp-reset
> iptables -A OUTPUT -o eth0 -p tcp ! --syn --dport 1024: -s MY.IP --sport
> 113
> -j
> I wait long time when I try connect with ftp & mail services.
> If I try REJECT --reject-with icmp-port-unreachable
> this work quickly but slowly then I permit authentication.
> What can I do in order to use tcp-reset?
> May be using state rules?
> I use unstable iptables 1.2.9, kernel 2.4.24
> Thanx.
> --
> Çàðåãèñòðèðóéòå áåñïëàòíûé ïî÷òîâûé ÿùèê @inet.ua

Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.

Reply to: