REJECT with tcp reset does not work

Discussion in 'Linux Networking' started by Akop Pogosian, Nov 15, 2003.

  1. We're using RedHat Linux 7.3 with all recent updates and the standard
    kernel. I have structured my iptables rules so that they look like
    this, for example:

    ....
    iptables -A INPUT -d 0/0 -p tcp --dport 0:1023 -j local
    iptables -A INPUT -d 0/0 -p udp --dport 0:1023 -j local
    ....
    # A bunch of IP addresses or subnets
    iptables -A local -s xxx.xxx.xxx.xxx/32 -j ACCEPT
    iptables -A local -s xxx.xxx.xxx.xxx/32 -j ACCEPT
    iptables -A local -m limit -j LOG --log-prefix "netfilter: "
    iptables -A local -p tcp -j REJECT --reject-with tcp-reset
    iptables -A local -p udp -j REJECT --reject-with icmp-port-unreachable

    This works. However, when tcp connections are rejected, the machine
    does not send a TCP reset packet back to senders even though I have
    explicitly specified this action. According to tcpdump output, nothing
    gets sent back when a packet is denied. So, essentially, -j REJECT
    seems to be acting like -j DROP. In fact, I don't have a rule that
    says -j DROP anywhere in this script. Does anyone know why this is
    happening?


    -akop
     
    Akop Pogosian, Nov 15, 2003
    #1
    1. Advertisements

  2. Akop Pogosian

    Tapio Sokura Guest

    I have also observed the same behavior on an RH 7.3 firewall running the
    latest RH errata-kernel (2.4.20-20.7). Rejecting with icmp-port
    unreachable works, but not with tcp-reset (the RST-packet is never
    sent). I haven't come across a solution to this, just thought I'd let
    you know you are not alone.
     
    Tapio Sokura, Nov 15, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.