connection-state=established not working

trs80 · March 8, 2006, 4:47pm

I’m having trouble with return packets to a firewall running 2.9.10.

There is no output filter, and the input filter is:

 0   chain=input tcp-flags=!syn connection-state=established action=accept 

 1   chain=input connection-state=related action=accept 
 ...
 9   chain=input action=log log-prefix="" 

10   chain=input action=drop

I expected that first rule to handle return packets for connections initiated from the firewall, but my logs show that they are dropped (y.y.y.y being my firewall IP):

firewall,info input: in:ether0 out:(none), src-mac x:x:x:x:x:x, proto TCP (ACK), z.z.z.z:443->y.y.y.y:1027, len 52

I tried adding “in-interface=ether0” to the rule, but it had no effect.

I have a similar problem with matching on connection-state values in the forward chain, too.

wildbill442 · March 8, 2006, 5:25pm

Try removing the “tcp-flags=!syn” string…

chain=input connection-state=established action=accept, will only accept connections already established by rules beneath it.

trs80 · March 8, 2006, 5:53pm

I just added that today, after seeing it in another thread. Someone had posted their rule set as an example.

In any case, it’s ACKs that are dropped, so that additional match specification should permit those.