Hi, just the reject rule works for me. I don't need a rule on OUTPUT (even though my OUTPUT policy, as probably yours, is DROP). I don't bother with the --sport arg though, but I wouldn't expect that to cause you a problem. try your connection and check the rule counters (iptables -Lv) to make sure this rule is actually getting hit. Maybe you've made a mistake. John. On Fri, 2004-02-20 at 02:52, Egor Tur wrote: > Hi folk. > How can I correctly create rules with REJECT and tcp-reset. > If I do > iptables -A INPUT -i eth0 -p tcp --sport 1024: -d MY.IP --dport 113 -j REJECT > --reject-with tcp-reset > iptables -A OUTPUT -o eth0 -p tcp ! --syn --dport 1024: -s MY.IP --sport 113 > -j > ACCEPT > I wait long time when I try connect with ftp & mail services. > If I try REJECT --reject-with icmp-port-unreachable > this work quickly but slowly then I permit authentication. > > What can I do in order to use tcp-reset? > May be using state rules? > > I use unstable iptables 1.2.9, kernel 2.4.24 -- GPG: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047 WEB: http://www.johnleach.co.uk
Attachment:
signature.asc
Description: This is a digitally signed message part