Re: iptables blocking eth0 .. why ?
-----BEGIN PGP SIGNED MESSAGE-----
Bernd Eckenfels wrote:
| On Fri, Jan 07, 2005 at 01:18:46PM +1300, Blair Strang wrote:
|>| iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
|>| iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \
|>| SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
|>| iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
|>| -j DROP
| the NEW Syn,Ack is most likely used to make sure netfiter will not
| (re)establich sessions from intermediate packets belonging to a established
| session. I think the "! --syn" has more or less the same function (besides
I see what you mean! I found an explanation for these rules here:
It seems like the third rule does make sense. I incorrectly believed
that a NEW match for TCP always implied SYN. Learn something every day :)
A note on the second rule though: in order for this rule to work as intended,
it should come BEFORE the rule which drops INVALID packets.
A glance at ip_conntrack_proto_tcp.c (from 2.6.9) leads me to believe that any "new"
TCP SYN+ACK will be state INVALID. The RST (which the OP theoretically wants) will
never be sent because of the preceding rule.
 But it means that if you reboot your firewall, all the TCP connections through
it must be re-established.... whereas without it some of them might survive...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----