[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables reject with TCP RST

Hello,

On Mon, May 15, 2023 at 09:40:10AM +0800, Tom Reed wrote:
> Yes after each telnet from client host, the count was increased.
> 
>     0     0 REJECT     tcp  --  any    any     anywhere            
> anywhere             tcp dpt:imaps reject-with tcp-reset
>     0     0 REJECT     tcp  --  any    any     anywhere            
> anywhere             tcp dpt:imap2 reject-with tcp-reset
>    99  4620 REJECT     tcp  --  any    any     anywhere            
> anywhere             tcp dpt:submission reject-with tcp-reset

In that case, we must conclude that the TCP RST being sent back never
gets to your source host.

You can try a tcpdump at both ends that shows only RST packets:

# tcpdump -n -v "tcp[tcpflags] & (tcp-rst) != 0"

then when you do the telnet, do you see a packet with "Flags [R…]"
at both server side and client side?

You could also try --reject-with icmp-port-unreachable to see if
that behaves differently.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: