I have been told that this is the intended behaviour of netfilter but I still need to fix it and I am wondering if someone has a patch or can point me in the general direction on how to change the behaviour explained in this mail.
----------------------------------------------------------------------------------- # Normal # [tommi@localhost tommi]$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 localhost ESMTP Sendmail 8.11.6/8.11.6; Fri, 12 Apr 2002 13:44:02 GMT ----------------------------------------------------------------------------------- # More normal behaviour # [root@localhost root]# iptables -F [root@localhost root]# iptables -A INPUT -p tcp --syn --dport 25 -j REJECT [root@localhost root]# telnet localhost 25 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused ----------------------------------------------------------------------------------- # Now I'm gonna allow one mail per day to get delivered. # [root@localhost root]# iptables -I INPUT -p tcp --syn -m limit --limit '1/day' --limit-burst 1 --dport 25 -j ACCEPT [root@localhost root]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 localhost ESMTP Sendmail 8.11.6/8.11.6; Fri, 12 Apr 2002 13:50:03 GMT quit 221 2.0.0 localhost closing connection Connection closed by foreign host. [root@localhost root]# telnet localhost 25 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused ----------------------------------------------------------------------------------- # NOW FOR THE PUNCHLINE # Please note that I'm adding a rule to allow TCP connection to port 53 # BUT I'm doing a telnet connection to port 25, now why does this rule # open for another connection to port 25 ? (mysterious). # [root@localhost root]# iptables -I INPUT -p tcp --dport 53 -j ACCEPT [root@localhost root]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 localhost ESMTP Sendmail 8.11.6/8.11.6; Fri, 12 Apr 2002 13:51:53 GMT ----------------------------------------------------------------------------------- # Weird, here's the state of my tables: [root@localhost root]# iptables -L -v -n Chain INPUT (policy ACCEPT 927 packets, 97820 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02 limit: avg 1/day burst 1 15 900 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02 reject-with icmp-port-unreachable - Tomas Edwardsson - Unix Support