Re: iptables blocking eth0 .. why ?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bernd Eckenfels wrote:
| On Fri, Jan 07, 2005 at 01:18:46PM +1300, Blair Strang wrote:
|
|>| iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
|>| iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \
|>| SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
|>| iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
|>| -j DROP
|
| the NEW Syn,Ack is most likely used to make sure netfiter will not
| (re)establich sessions from intermediate packets belonging to a established
| session. I think the "! --syn" has more or less the same function (besides
| RST)
|
|
| Greetings
| Bernd
|
|
I see what you mean! I found an explanation for these rules here:
http://www.faqs.org/docs/iptables/newnotsyn.html
http://www.faqs.org/docs/iptables/synackandnew.html
It seems like the third rule does make sense[1]. I incorrectly believed
that a NEW match for TCP always implied SYN. Learn something every day :)
A note on the second rule though: in order for this rule to work as intended,
it should come BEFORE the rule which drops INVALID packets.
A glance at ip_conntrack_proto_tcp.c (from 2.6.9) leads me to believe that any "new"
TCP SYN+ACK will be state INVALID. The RST (which the OP theoretically wants) will
never be sent because of the preceding rule.
Thanks,
~ Blair.
[1] But it means that if you reboot your firewall, all the TCP connections through
it must be re-established.... whereas without it some of them might survive...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB3ihuvJfDavdnqDgRAge7AJ96jdeSqXSxjQADmMeEEiD5swL9/gCfTbcT
M7XmPpIZrE2MpfUXet6maw0=
=yILY
-----END PGP SIGNATURE-----
Reply to: