Hi, > I'm using this same 'new not syn' rule for a long time and had > absolutely no problems with it. I've also found SEVERAL connections being > blocked by it. Anyway, it's completly safe to drop connections that does not > have the SYN and are recognized as NEW, as they really dont make sense. > > I got replies from lots of people saying these packets are generated by > problematic TCP/IP implementations ( MS?? ), and i shouldnt care about > dropping them.
I use iptables on 2 machines. One is quite used, especially as a web server. I noticed this problem mainly with packets going to port 80. The most of the connections are done from MS IE, so I suppose the problem is in broken TCP/IP implementation. > The only change I did was disabling this rule logging. They are just > silent dropped. Yes. At beginning I used to just drop them, but then I noticed that these are dropped quite often so I started to log them to examine the problem. I think I'll get rid of the logging rule now and just drop them. > As you sent only 1 single rule about 'new not syn', I'm supposing you > just have this rule related to this problem. In this case, you should notice > you're not dropping them, just logging. iptables is somehow different from > ipchains. You must log them in one line and drop them in the other. So, your > rules should look: > > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix > "IPTABLES NEW not SYN: " > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > > If you already have this second rule, forget my comment about it ..... > Anyway, you should have sent it to the list too :) Yes, I have this rule there as well. Sorry, my fault. :-)) > Anyway, just for references, some extra information about 'new not syn' > can be found at: > http://www.boingworld.com/workshops/linux/iptables-tutorial/iptables-tutoria > l/iptables-tutorial.html#AEN2800 Thanks, it's helpful. -- Martin Pavlas Pwrgeneration.net ICC s.r.o.
