Re: iptables blocking eth0 .. why ?
On Fri, Jan 07, 2005 at 01:18:46PM +1300, Blair Strang wrote:
> | iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
> | iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \
> | SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
> | iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
> | -j DROP
> 3) INPUT/OUTPUT: All the rules which would allow established connections to
> proceed are
> ~ commented out. No packets in state NEW will be accepted because there
> are no rules to
> ~ allow them. So no-one should be able to connect to you, and you should
> not be able to
> ~ establish any outbound connections. Except for those ICMP messages
> again.
the NEW Syn,Ack is most likely used to make sure netfiter will not
(re)establich sessions from intermediate packets belonging to a established
session. I think the "! --syn" has more or less the same function (besides
RST)
Greetings
Bernd
Reply to: