> Does anyone have a good solution to catch the third (ACK) packet > in a tcp connection setup?
# iptables -A INPUT -p tcp --tcp-flags ACK ACK -m recent --rcheck --seconds 60 -j LOG --log-prefix "3rd is ack: " # iptables -A INPUT -p tcp -m state --state NEW --syn -m recent --set -j LOG --log-prefix "1st is syn: " Would not it work? First SYN packet triggers the recent module in the second rule. Second (your) syn/ack goes on your OUTPUT. Third ACK triggers the first rule. I am not using recent, and i just made that up from the description. But it seems reasonably. Or does it? Regards, Maciej
