Skip to main content
Although paqet operates at the raw packet level using pcap, the operating system kernel can still interfere with connections by sending TCP RST (reset) packets. This guide explains why firewall configuration is required and how to set it up correctly.

Why Firewall Configuration is Required

The Kernel Interference Problem

When paqet receives packets on its configured port, two things happen:
  1. paqet receives a copy via pcap directly from the network driver
  2. The kernel also sees the packet as it passes through the normal TCP/IP stack
Since the kernel has no knowledge of the connection that paqet is managing, it sees these packets as belonging to a non-existent connection and generates TCP RST packets to reject them. These kernel-generated RST packets cause:
  • Corruption of connection state in NAT devices
  • Stateful firewall interference
  • Connection instability and packet drops
  • Premature connection termination

The Solution

You must configure iptables to:
  1. Bypass connection tracking for the paqet port
  2. Prevent RST packet generation by the kernel
This ensures that only paqet handles traffic on its port, and the kernel ignores it completely.
Without these iptables rules, paqet will not function properly. The kernel will continuously interfere with packet handling.

Port Selection Guidelines

Do not use standard ports like 80, 443, 22, 25, or any other commonly used ports.The iptables rules required by paqet can also affect outgoing connections from your server on those ports, potentially breaking normal server operations.
Recommended ports:
  • 9999 - Common choice for paqet
  • 8888 - Alternative high port
  • 7777 - Another high port option
  • Any non-standard port above 1024

Server Firewall Configuration

1

Set Your Port Number

Replace <PORT> in all commands below with your actual server listen port (e.g., 9999).For convenience, set it as a variable:
PORT=9999
2

Bypass Connection Tracking

These rules tell the kernel’s netfilter to ignore packets on the paqet port for state tracking:
sudo iptables -t raw -A PREROUTING -p tcp --dport $PORT -j NOTRACK
sudo iptables -t raw -A OUTPUT -p tcp --sport $PORT -j NOTRACK
What this does:
  • -t raw - Uses the raw table (processed before connection tracking)
  • PREROUTING - Incoming packets
  • OUTPUT - Outgoing packets
  • --dport / --sport - Matches destination/source port
  • NOTRACK - Disables connection tracking for these packets
3

Prevent RST Packet Generation

This rule drops any RST packets the kernel tries to send from the paqet port:
sudo iptables -t mangle -A OUTPUT -p tcp --sport $PORT --tcp-flags RST RST -j DROP
What this does:
  • -t mangle - Uses the mangle table for packet alteration
  • --tcp-flags RST RST - Matches packets with RST flag set
  • DROP - Discards the packet before it’s sent
4

Alternative Rules (If Issues Persist)

If you still experience connection issues, try these alternative accept rules:
sudo iptables -t filter -A INPUT -p tcp --dport $PORT -j ACCEPT
sudo iptables -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT
These rules explicitly accept traffic on the paqet port, which can help in some firewall configurations.
5

Verify Rules

Check that your rules were applied correctly:
# View raw table rules
sudo iptables -t raw -L -n -v

# View mangle table rules
sudo iptables -t mangle -L -n -v

# View filter table rules (if using alternative rules)
sudo iptables -t filter -L -n -v
Look for rules matching your port number.
6

Make Rules Persistent

By default, iptables rules are lost when the system reboots. Make them persistent:
Install iptables-persistent:
sudo apt-get install iptables-persistent
Save current rules:
sudo iptables-save | sudo tee /etc/iptables/rules.v4
Rules will be automatically restored on reboot.

Complete Example

Here’s a complete script to configure iptables for paqet on port 9999: 
#!/bin/bash

# Set your paqet port
PORT=9999

echo "Configuring iptables for paqet on port $PORT..."

# Bypass connection tracking
echo "1. Bypassing connection tracking..."
sudo iptables -t raw -A PREROUTING -p tcp --dport $PORT -j NOTRACK
sudo iptables -t raw -A OUTPUT -p tcp --sport $PORT -j NOTRACK

# Prevent RST packets
echo "2. Preventing RST packet generation..."
sudo iptables -t mangle -A OUTPUT -p tcp --sport $PORT --tcp-flags RST RST -j DROP

echo "3. Verifying rules..."
sudo iptables -t raw -L -n -v | grep $PORT
sudo iptables -t mangle -L -n -v | grep $PORT

echo "✓ iptables configuration complete!"
echo ""
echo "To make these rules persistent:"
echo "  Debian/Ubuntu: sudo iptables-save | sudo tee /etc/iptables/rules.v4"
echo "  RHEL/CentOS:   sudo service iptables save"
Save this as configure-iptables.sh, make it executable, and run: 
chmod +x configure-iptables.sh
sudo ./configure-iptables.sh

Cloud Provider Firewalls

In addition to iptables, cloud providers have their own firewall systems:
Security Groups:
  1. Go to EC2 → Security Groups
  2. Select your instance’s security group
  3. Add an inbound rule:
    • Type: Custom TCP
    • Protocol: TCP
    • Port Range: 9999 (your paqet port)
    • Source: Your client IP or 0.0.0.0/0 for any source

Removing Rules

To remove paqet iptables rules: 
PORT=9999

# Remove raw table rules
sudo iptables -t raw -D PREROUTING -p tcp --dport $PORT -j NOTRACK
sudo iptables -t raw -D OUTPUT -p tcp --sport $PORT -j NOTRACK

# Remove mangle table rules
sudo iptables -t mangle -D OUTPUT -p tcp --sport $PORT --tcp-flags RST RST -j DROP

# If you added filter rules, remove them too
sudo iptables -t filter -D INPUT -p tcp --dport $PORT -j ACCEPT
sudo iptables -t filter -D OUTPUT -p tcp --sport $PORT -j ACCEPT

Troubleshooting

Connection Times Out

  1. Verify iptables rules are applied: 
    sudo iptables -t raw -L -n -v
sudo iptables -t mangle -L -n -v
  2. Check for conflicting rules: 
    sudo iptables -L -n -v
    Look for DROP or REJECT rules that might block your port.
  3. Verify cloud provider firewall: Ensure your security group/firewall allows TCP traffic on your port.

Rules Not Persisting

  1. Check if iptables-persistent is installed: 
    dpkg -l | grep iptables-persistent  # Debian/Ubuntu
systemctl status iptables           # RHEL/CentOS
  2. Manually verify saved rules: 
    cat /etc/iptables/rules.v4          # Debian/Ubuntu
cat /etc/sysconfig/iptables         # RHEL/CentOS

Server Can’t Make Outbound Connections

This happens if you used a standard port like 80 or 443:
  1. Change your paqet port to a non-standard port (e.g., 9999)
  2. Remove old iptables rules for the standard port
  3. Re-apply rules with the new port
  4. Update your configuration files (both client and server)

Next Steps

Build docs developers (and LLMs) love

Get started for freeTalk to us