On Tue, 5 Apr 2005, Howard Lowndes wrote:
> I've just upgraded a box (hardware & software) from RH 7.1 with an early
> 2.4.x kernel to FC3 with the latest 2.6.x kernel, but most of the config
> files I have brought over from the old box including the iptables rules
> sets, and it's these that are giving me grief.
>
> The box acts as a gateway filter/router/NAT box.
>
> Specifically the problem relates to a workstation behind the firewall
> trying to establish a tcp connection out onto the I'net.
>
> The relevant iptable is one that ACCEPTs all TCP packets that are state
> ESTABLISHED,RELATED. Something like:
> iptables -A chain_name -p TCP -m state --state ESTABLISHED,RELATED \
> -j ACCEPT
Shouldn't this be
iptables -A chain_name -m state --state ESTABLISHED,RELATED \
-j ACCEPT
Ie no mention of '-p TCP' (which should be '-p tcp' anyway - ie lower
case). I guess ESTABLISHED pretty much only applies to TCP but I could be
wrong (GRE?)
>
> The SYN packet goes out fine, the SYN ACK packet comes back fine and the
> bare ACK packet goes out fine, so the connection gets established.
>
> When I look in /proc/.../ip_conntrack I can see the connection defined
> as ESTABLISHED.
>
> The client next sends out a PSH ACK packet with a data payload and the
> I'net sends back a bare ACK packet, which gets matched by the iptables rule.
>
> The I'net then sends a PSH ACK packet with data payload, but this does
> not get accepted by the iptables rule and consequently drops thru until
> it gets REJECTed further down.
>
> Needless to say this push and shove goes on for a few minutes until
> everything times out.
>
> Why would an iptable rule that is defined to ACCEPT TCP packets state
> ESTABLISHED,RELATED do so when there is no data payload, but fail when
> there is a data payload.
>
> Is there something in sysctl in the 2.6.x kernel that needs to be set
> and was not in the 2.4.x kernel.
>
>
--
---<GRiP>---
** ROOM FOR RENT $120pw (neg) near Newington Shops 525/401 buses **
Electronic Hobbyist, Former Arcadia BBS nut, Occasional nudist,
Linux Guru, SLUG President, AUUG and Linux Australia member, Sydney
Flashmobber, Tenpin Bowler, BMX rider, Walker, Raver & rave music
lover, Big kid that refuses to grow up. I'd make a good family pet,
take me home today!
Some people actually read these things it seems.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
