Maciej Soltysiak wrote:
> Hi,
>
>
>>A Solution:
>>-----------
>>As a temporary hack the following rule can be added as the second rule:
>>
>>iptables -A FORWARD -p tcp --tcp-flags ACK ACK -j DROP
>
> Well, i think everybody who gets to that point uses:
> iptables -A FORWARD -p tcp -m state --state NEW --syn -j ACCEPT
>
> type of rules. new + syn.
>
>
>>However, this is not a solid solution and the code should be modified,
>>as we see it, not to recognize ACK packets as being in the state NEW.
>
> I belive that state NEW says: a packet never seen before. A tuple that
> does not exist in currect tracked connections table.
So, what are the INVALID packets ?????
According to my poor knowledge of TCP, I was classifying the NEW packets
as the packets which were part of the first three way handshake:
SERVER (LISTENING) CLIENT (CONNECTING)
SYN
<-------------------
SYN + ACK
------------------->
ACK
<-------------------
3-Way TCP handshake
After this, I was assuming that we were in the ESTABLISHED state.
Regards
--
Emmanuel
Premature optimization is the root of all evil.
-- Donald Knuth
