On Thu, Aug 02, 2007 at 10:49:51PM +0200, Ansgar -59cobalt- Wiechers wrote: > On 2007-08-02 Franck Joncourt wrote: > > -m state --state NEW --syn rather than --syn > > "--syn" is kinda redundant when using "--state NEW". ;) > You are wrong. Try to send a packet with the ACK flag sets and the others cleared ; therefore you will be able to match those packets with this rule : iptables -A INPUT -p tcp -m state --state NEW \ --tcp-falgs SYN,FIN,RST,ACK ACK -j RETURN http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SYNACKANDNEW I would like to give you a piece of code from iptables source code, but I have not found out the right place yet. But I am working on it. There are a lot of things to learn there :p! -- Franck Joncourt http://www.debian.org - http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
Attachment:
signature.asc
Description: Digital signature