Re: REJECT rules with tcp-reset.
I don't know if the status has changed but last summer this was a hot spot
on one of the ipfillter lists. It seams that no one(the expert
developers) want(s) tcp-reset, howerver BSD's netfilter can do this. I at
the time was doing some reserch on this subject and found that there is no
database of how programs handel reject msgs.
A closed port dose cause a tcp-reset to be returned, so you could use
dnat. I don't know if --reject-with BLAH will look EXACTLY like the
kernel generated equivelent, but since closed ports do rst filtered ports
will allways look filtered by nmap.
--- Egor Tur <worldeb@inet.ua> wrote:
> Hi folk.
> How can I correctly create rules with REJECT and tcp-reset.
> If I do
> iptables -A INPUT -i eth0 -p tcp --sport 1024: -d MY.IP --dport 113 -j
> REJECT
> --reject-with tcp-reset
> iptables -A OUTPUT -o eth0 -p tcp ! --syn --dport 1024: -s MY.IP --sport
> 113
> -j
> ACCEPT
> I wait long time when I try connect with ftp & mail services.
> If I try REJECT --reject-with icmp-port-unreachable
> this work quickly but slowly then I permit authentication.
>
> What can I do in order to use tcp-reset?
> May be using state rules?
>
> I use unstable iptables 1.2.9, kernel 2.4.24
>
> Thanx.
> --
> Çàðåãèñòðèðóéòå áåñïëàòíûé ïî÷òîâûé ÿùèê @inet.ua
>
__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools
Reply to: