I am not sure if this matter has been discussed previously... If that's
true, please, point me to the place where the answer is...
I am using netfilter on a screening router, and I detected that FIN+ACK
packets coming from web sites are blocked by the firewall.
For the moment, I am using a configuration to allow "flat" access from my
internal network, allowing responses from external sites, with these
iptables rules:
iptables -A FORWARD -v -i $IFINT -s $IPINT -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -v -i $IFEXT -s $IPANY -m state --state ESTABLISHED -j
ACCEPT
(I think variables are "self explained"...)
According to "IPTables connection tracking" document, the closure proceeds
in this way:
Client Server
.........
FIN+ACK --->
<--- ACK
<--- FIN+ACK
ACK --->
It seems status "ESTABLISHED" is finished with the first "FIN+ACK" package
sent by the client, and then last "FIN+ACK" package, coming from the Server,
is rejected by the firewall rules. Am I correct? If the answer is "yes", are
there any way (or fix) to solve that?
And if I am wrong, please, tell me... Thank you very much.
Best regards. Antonio.
