> On 2007-08-02 Franck Joncourt wrote:
> > -m state --state NEW --syn rather than --syn
>
> "--syn" is kinda redundant when using "--state NEW". ;)
>
You are wrong. Try to send a packet with the ACK flag sets and the
others cleared ; therefore you will be able to match those packets with
this rule :
iptables -A INPUT -p tcp -m state --state NEW \
--tcp-falgs SYN,FIN,RST,ACK ACK -j RETURN
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SYNACKANDNEW
I would like to give you a piece of code from iptables source code, but I
have not found out the right place yet. But I am working on it.
There are a lot of things to learn there :p!
--
Franck Joncourt
http://www.debian.org - http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
No comments:
Post a Comment