On Mon, May 06, 2002 at 09:42:27AM +1000, Peter Kiem wrote: > I recently converted a couple of systems from IPChains to IPTables. > Everything seems to be working very well except I am noticing packets like > this being rejected: > > May 4 14:03:44 ljh-server kernel: EXT-FW IN=ppp0 OUT= MAC= SRC=64.4.49.78 > DST=144.137.139.238 LEN=82 TOS=0x00 PREC=0x00 TTL=242 ID=38012 DF PROTO=TCP > SPT=25 DPT=4106 WINDOW=33182 RES=0x00 ACK PSH FIN URGP=0 > > They look like reply packets coming back in but being rejected. I also > notice the same thing with SPT=80 connections too. > > My EXT-FW chain looks like this: > iptables -F EXT-FW > iptables -A EXT-FW -i ! ppp+ -j EXTFWDROP > iptables -A EXT-FW -p tcp --destination-port ssh -j ACCEPT > iptables -A EXT-FW -p udp --destination-port ssh -j ACCEPT > iptables -A EXT-FW -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A EXT-FW -j ICMP > iptables -A EXT-FW -j EXTFWDROP > > So why isn't the --state ESTABLISHED,RELATED -j ACCEPT rule allowing these > packets in?
My guess, is a timeout situation. There has to be some such limit to be considered a legit packet (ie you don't want something 2 days later to be considered legit and waste resources waiting for stuff that might never come). IIRC, the default timeout is 60 seconds, and you can increase this in one of the netfilter/kernel headers. I get this from my ISPs mail and news servers, and had to set explicit rules to allow all specific host:port traffic, or else get annoyed with the bogus log entries. iptables is just much more particular about what traffic it lets through. PS -- This is just one likely possibility. You should try to verify it, before opening up host:ports willy nilly. -- Hal Burgiss _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
