On Saturday 06 October 2001 21:27, Philipp Snizek wrote:
Hi all,
This is part of my iptables -L -n -v. Please note that tcp packets are not rejected but dropped by the reject rule. But counters say they're rejected. This is the rule I use: iptables -A INPUT -p 6 -s 0/0 --sport 1024: -d xxx.xxx.xx.xx --dport 25 -i $waneth -j REJECT --reject-with tcp-reset
3 144 LOG all -- eth1 * 0/0 0/0 LOG flags 0 level 4 prefix `INPUT: ' 3 144 REJECT tcp -- eth1 * 0/0 xxx.xxx.xx.xx tcp spts:1024:65535 dpt:25 reject-with tcp-reset 0 0 DROP all -- eth1 * 0/0 0/0
As you can see the drop rule doesn't count any packets. But packets are dropped. Please see iptraf below: 212.254.101.100:23822 = 3 144 S--- eth1 xxx.xxx.xx.xx:25 = 0 0 ---- eth1
If working with tcp-reset I'd rather expect something like this: 212.254.101.100:23824 = 1 48 S--- eth1 xxx.xxx.xx.xx:25 = 1 40 RESET eth1
Do you have any OUTPUT rules that prevent the reset packets from leaving your box ? Maybe you have to allow them by an explicit rule like this: iptables -t filter -A OUTPUT -o eth1 -s x.x.x.x --sport 25 -p tcp --tcp-flags SYN,FIN,RST RST -j ACCEPT Andreas Baetz ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************