From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 8FE461381F3 for ; Tue, 21 May 2013 16:09:30 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3F09AE0881; Tue, 21 May 2013 16:09:24 +0000 (UTC) Received: from mail-la0-f47.google.com (mail-la0-f47.google.com [209.85.215.47]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D168FE07F5 for ; Tue, 21 May 2013 16:09:22 +0000 (UTC) Received: by mail-la0-f47.google.com with SMTP id fq12so897970lab.34 for ; Tue, 21 May 2013 09:09:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=UQkPu697Icl3a86KrBjn+2pawyy0kRDt6KAazmBNiAs=; b=a3z6Zr7d0S4PC/FMhIHsTe98vVHVCaKoi4q2z8QcygcKnOQ8bdIp2lnxPTuiZ70b7t F+Cj+UeYqPvMGdWNNPl9b1u0I8PSNoSkBQ8wNewoxc8gaa1DBqegXHIWkYOGCk5faczf gLAABnraWWha1EgXCD4wncVUnpK+GPa14qAvgOuHZtB4a2ckqY3wi1KT3zoYKL8ssSV2 fYjqtWysrqGFU+3rTnsU1vlzswc4YIJ/w9g9SnkMVibgpjo7FvCb5NeK0ESQHAOZGI5J hkkXcsZrB6y6lf5IDQNcmcwr1ZWCmk5nl8JNsOTGAE84f7XAZ4lNT7OCBi4N4vf4fYFR 4Ddw== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.112.205.231 with SMTP id lj7mr1953030lbc.27.1369152561134; Tue, 21 May 2013 09:09:21 -0700 (PDT) Received: by 10.114.92.35 with HTTP; Tue, 21 May 2013 09:09:21 -0700 (PDT) In-Reply-To: <1369150221.166497859@f200.mail.ru> References: <1369150221.166497859@f200.mail.ru> Date: Tue, 21 May 2013 12:09:21 -0400 Message-ID: Subject: Re: [gentoo-user] Re: [gentoo-user] IPTables - Going Stateless From: Nick Khamis To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: d67801a7-6f86-4fc4-8d75-a8ff5796ee7e X-Archives-Hash: a4cb4b3a945c4aee1a2467b530d36bf1 >> Looks like the packet never gets to the tcp chain. what is --syn? It seems that way!!!! I am not sure what --syn is actually. But even if I comment it out it does not work. Also, for testing I changed the SSH rule to allow bidirectional traffic until this is fixed: -A TCP -p tcp -m tcp --dport 22 -j ACCEPT As mentioned before everything works as expected until when I try to close up the ports not included in the TCP and UDP chains: #echo -e " - Dropping input TCP and UDP traffic to closed ports" -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e " - Dropping output TCP and UDP traffic to closed ports" -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e " - Dropping input traffic to remaining protocols sent to closed ports" -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e " - Dropping output traffic to remaining protocols sent to closed ports" -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Thanks in Advance, Nick.