Re: SYN, ACK, ACK PSH packets getting dropped (?)

[Andrew Beverley <andy@andybev.com>]

On Fri, 2011-07-08 at 14:42 -0700, Sam Gandhi wrote:
> Hello,
> 
> I am trying to configure small industrial device that has one ethernet
> interface ("internal") and another WLAN interface.
> 
> I have attached below shell function I am using configure the iptables
> rule below. I have include a rule   $IPT -A OUTPUT  -j LOG
> --log-prefix "OU " at the bottom to log any packets that fall through
> the OUTPUT chain and log them. And I see following output, should be
> worried about this?

I suspect that they are packets related to NFS, in which case the answer
is yes, once you start dropping them.

>  How do I go about fixing this?  If anyone wants
> please do provide any suggestion on improving this iptable rule
> further. Basically what I want to do is  accept DNS, NTP, COPS traffic
> over wlan0 interface and also allow NFS booting device over eth0.

NFS is a complicated protocol, and I personally have never been able to
get it properly filtered by iptables. So, unless you are paranoid about
your users on the internal network, I would just accept all INPUT
packets on eth0, and concentrate your filtering on the WLAN interface
(presumably the public facing side?)

You might also want to check this out to help with NFS:

http://www.cyberciti.biz/faq/centos-fedora-rhel-iptables-open-nfs-server-ports/

Andy