Re: Problems with OUTPUT rules ESTABLISHED,RELATED

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Peter Volkov Alexandrovich <pvolkov@mics.msu.su>
To: John Lange <john.lange@open-it.ca>
Cc: netfilter <netfilter@lists.netfilter.org>
Subject: Re: Problems with OUTPUT rules ESTABLISHED,RELATED
Date: Tue, 02 Aug 2005 23:47:26 +0400	[thread overview]
Message-ID: <1123012047.26053.8.camel@localhost> (raw)
In-Reply-To: <1123009163.12889.164.camel@ws50.darkcore.net>

Hi.

On Втр, 2005-08-02 at 13:59 -0500, John Lange wrote:
> The problem is, quite a few packets are being dropped which I don't
> think should be.
> 
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> 
> iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
> 
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> With the above rules why does the following get blocked?
> 
> -----
> Aug  2 13:04:47 HOST kernel: IN= OUT=eth0 SRC=XXX.XXX.XXX.XXX
> DST=XXX.XXX.XXX.XXX LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=11945 DF
> PROTO=TCP SPT=80 DPT=48473 WINDOW=1805 RES=0x00 ACK URGP=0 UID=501
> -----
> 
> This appears to be the return ACK of the inital SYN. Shouldn't that be
> permitted under the above rules?

No. IIUC your connection is in state NEW while it have not seen packets
in both directions (man iptables). After syn packet have reached your
host syn,ack packet should be sent to client. At this moment your
connection is in state NEW. And your rules forbid OUTPUT packets in
state NEW. Thus packet is dropped.

Peter.

next prev parent reply	other threads:[~2005-08-02 19:47 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-08-02 18:59 Problems with OUTPUT rules ESTABLISHED,RELATED John Lange
2005-08-02 19:47 ` Peter Volkov Alexandrovich [this message]
2005-08-02 20:58   ` John Lange
2005-08-03  5:08     ` Peter Volkov Alexandrovich
2005-08-03  9:15       ` Jörg Harmuth
2005-08-03 16:34         ` John Lange

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1123012047.26053.8.camel@localhost \
    --to=pvolkov@mics.msu.su \
    --cc=john.lange@open-it.ca \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.