I don't know if the status has changed but last summer this was a hot spot on one of the ipfillter lists. It seams that no one(the expert developers) want(s) tcp-reset, howerver BSD's netfilter can do this. I at the time was doing some reserch on this subject and found that there is no database of how programs handel reject msgs.
A closed port dose cause a tcp-reset to be returned, so you could use dnat. I don't know if --reject-with BLAH will look EXACTLY like the kernel generated equivelent, but since closed ports do rst filtered ports will allways look filtered by nmap. --- Egor Tur <[EMAIL PROTECTED]> wrote: > Hi folk. > How can I correctly create rules with REJECT and tcp-reset. > If I do > iptables -A INPUT -i eth0 -p tcp --sport 1024: -d MY.IP --dport 113 -j > REJECT > --reject-with tcp-reset > iptables -A OUTPUT -o eth0 -p tcp ! --syn --dport 1024: -s MY.IP --sport > 113 > -j > ACCEPT > I wait long time when I try connect with ftp & mail services. > If I try REJECT --reject-with icmp-port-unreachable > this work quickly but slowly then I permit authentication. > > What can I do in order to use tcp-reset? > May be using state rules? > > I use unstable iptables 1.2.9, kernel 2.4.24 > > Thanx. > -- > ��������������� ���������� �������� ���� @inet.ua > __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools
