I am not sure if this matter has been discussed previously... If that's true, please, point me to the place where the answer is...
I am using netfilter on a screening router, and I detected that FIN+ACK packets coming from web sites are blocked by the firewall. For the moment, I am using a configuration to allow "flat" access from my internal network, allowing responses from external sites, with these iptables rules: iptables -A FORWARD -v -i $IFINT -s $IPINT -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -v -i $IFEXT -s $IPANY -m state --state ESTABLISHED -j ACCEPT (I think variables are "self explained"...) According to "IPTables connection tracking" document, the closure proceeds in this way: Client Server ......... FIN+ACK ---> <--- ACK <--- FIN+ACK ACK ---> It seems status "ESTABLISHED" is finished with the first "FIN+ACK" package sent by the client, and then last "FIN+ACK" package, coming from the Server, is rejected by the firewall rules. Am I correct? If the answer is "yes", are there any way (or fix) to solve that? And if I am wrong, please, tell me... Thank you very much. Best regards. Antonio.