I am trying to filter out the Nimda virus with the following rule: iptables -t filter -A INPUT -i $EXT_IFACE -p tcp -d $IP --dport http \ -m string --string ".exe?/c+dir" -j REJECT --reject-with tcp-reset
My understanding is that when netfilter sees a packet matching ".exe?c+dir", it is supposed to send a packet back to the sender with the TCP RST bit set that will close the connection. When I try this in practice, the connection stays in an ESTABLISHED state for about 5 minutes before the connection is dropped. I was working with a friend of mine using tcpdump and it doesn't look like a RST packet is actually being sent out. Is this by design, or is my interpretation of the REJECT target wrong? Regards, Seann
