I'm using this same 'new not syn' rule for a long time and had
absolutely no problems with it. I've also found SEVERAL connections being
blocked by it. Anyway, it's completly safe to drop connections that does not
have the SYN and are recognized as NEW, as they really dont make sense.
I got replies from lots of people saying these packets are generated by
problematic TCP/IP implementations ( MS?? ), and i shouldnt care about
dropping them.
The only change I did was disabling this rule logging. They are just
silent dropped.
As you sent only 1 single rule about 'new not syn', I'm supposing you
just have this rule related to this problem. In this case, you should notice
you're not dropping them, just logging. iptables is somehow different from
ipchains. You must log them in one line and drop them in the other. So, your
rules should look:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
"IPTABLES NEW not SYN: "
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
If you already have this second rule, forget my comment about it .....
Anyway, you should have sent it to the list too :)
Anyway, just for references, some extra information about 'new not syn'
can be found at:
http://www.boingworld.com/workshops/linux/iptables-tutorial/iptables-tutoria
l/iptables-tutorial.html#AEN2800
Sincerily,
Leonardo Rodrigues
----- Original Message -----
From: "Martin Pavlas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 25, 2002 12:54 PM
Subject: NEW not SYN
> Hi,
>
> I use kernel version 2.4.17 and 2.4.18 (Debian 2.2) and I have this rule
> in my IPtables settings:
>
> iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
> --log-prefix "IPTABLES NEW not SYN: "
>
> I think that every NEW tcp connection must have syn flag set, so I put
> this rules there. I was surprised how offten I see in the log file
> something like this:
>
> Mar 20 16:25:38 odin kernel: IPTABLES NEW not SYN: IN=eth0 OUT=
> MAC=00:01:02:a5:17:2c:00:60:3e:81:66:c9:08:00
> SRC=SOMEIP DST=MYIP LEN=80 TOS=0x10 PREC=0x00 TTL=60 ID=12256 DF
> PROTO=TCP SPT=1412 DPT=21
> WINDOW=32120 RES=0x00 ACK PSH URGP=0
