On 8/30/05, Mark Sargent <powderkeg@xxxxxxxxxxxxxxxx> wrote: > Hi All, > > am studying IPTABLES and am curious about this section, > > **************************** > [snip] > > tcp 6 117 SYN_SENT src=192.168.1.5 dst=192.168.1.35 sport=1031 \ > dport=23 [UNREPLIED] src=192.168.1.35 dst=192.168.1.5 sport=23 \ > dport=1031 use=1 > [snip] > > tcp 6 57 SYN_RECV src=192.168.1.5 dst=192.168.1.35 sport=1031 \ > dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 \ > use=1 > [snip] > > tcp 6 431999 ESTABLISHED src=192.168.1.5 dst=192.168.1.35 \ > sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 \ > sport=23 dport=1031 [ASSURED] use=1 > > > ************************* > > In the 1st entry, the expected source ip and destination ip, > > src=192.168.1.35 dst=192.168.1.5 > > > are still the expected src dest ip in the 2nd entry, syn/ack entry. > Shouldn't they be the other way round.? Perhaps I'm misunderstanding > it.? My understanding, is, that the syn_sent packet orignates from > 192.168.1.5 and the syn_recv packet originates from 192.168.1.35, no.? This is connection tracking. Your perspective is packet level. The tcp connection is initiated by the one system, the source, of the connection. The fact that the actual traffic is bi-directional, and the source and destination IP address, and respective ports, will change on a packet basis is understood. -- Leonard Isham, CISSP Ostendo non ostento.
