On Thu, Aug 02, 2007 at 10:49:51PM +0200, Ansgar -59cobalt- Wiechers wrote: > On 2007-08-02 Franck Joncourt wrote: > > -m state --state NEW --syn rather than --syn > > "--syn" is kinda redundant when using "--state NEW". ;) >
You are wrong. Try to send a packet with the ACK flag sets and the
others cleared ; therefore you will be able to match those packets with
this rule :
iptables -A INPUT -p tcp -m state --state NEW \
--tcp-falgs SYN,FIN,RST,ACK ACK -j RETURN
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SYNACKANDNEW
I would like to give you a piece of code from iptables source code, but I
have not found out the right place yet. But I am working on it.
There are a lot of things to learn there :p!
--
Franck Joncourt
http://www.debian.org - http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
signature.asc
Description: Digital signature
