It seems to me the PSH flag makes iptables drop the packet. But should
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
not take care of all response packets?
Amazingly, all connections seem to work well. But I'd like to have a completely proper packet filter. So, could anyone here wave the clue stick in my general direction?
The PSH bit definitely doesn't cause netfilter to drop packets unless you tell it to. In fact, were that the case, you couldn't use it to firewall Winblows machines, since the MS stack sets the PSH stack on (just about) all TCP segments by default, apparently. It could very well be that Linux exhibits the same behaviour. If that's your rule 12 up there (or rather, a mimic of rule 12 with an ACCEPT instead of a LOG target), then it could be that the session has been dropped from the connection table, i.e. conntrack has seen the FIN/ACK handshake or perhaps enough of it to purge the corresponding table entry, and that the remote host has then sent another packet. You'd need a (more or less) full session dump to verify that. Cya Tobias
participants (1)
-
Reckhard, Tobias