Petr Pisar wrote: So I put in a log rule for --state INVALID and sure enough thats what it was.On 2006-12-14, jwlargent <jwlargent@vlsmaps.com> wrote:I was trying to debug some errors in my iptables setup so I added the following rules to my OUTPUT, just to see what packets were going out.iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -j ACCEPTWhen I do iptables -L OUTPUT -v it shows some packets are falling through to the last rule.Shouldn't the first rule catch all the packets?No. There exists forth state called INVALID. E.g. TCP packet with ACK witch is not part of any tracked TCP connection is INVALID. Naturally, INVALID packets are ill packets and they shoudn't appear, but the reality is different. -- Petr The packets are part of my ssh connection, tcp with ACK.IN= OUT=eth0 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=276 TOS=0x10 PREC=0x00 TTL=64 ID=1146 DF PROTO=TCP SPT=22 DPT=38858 WINDOW=3228 RES=0x00 ACK PSH URGP=0 |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: Allowing hosts to bypass transparent proxy (squid+netfilter) to port 80 for a specific netmask, Andrew Beverley |
|---|---|
| Next by Date: | Re: Allowing hosts to bypass transparent proxy (squid+netfilter) to port 80 for a specific netmask, Bernardo Vieira |
| Previous by Thread: | Re: Shouldn't this rule catch all packets, Petr Pisar |
| Next by Thread: | Allowing hosts to bypass transparent proxy (squid+netfilter) to port 80 for a specific netmask, Bernardo Vieira |
| Indexes: | [Date] [Thread] [Top] [All Lists] |