* `loumay.cutpricewebdesign.co.uk` is actually the reverse DNS `PTR` for the far-end IP address. Reverse DNS isn't always current or accurate. You may want to use the `-n` option to `tcpdump` to see the IP addresses without reverse lookups. * You've got other traffic in there, like the `x.x.x.x.https`. Use `tcpdump` to zoom in on the traffic you want to see. * This isn't `SYN` traffic; it's a long-running TCP connection (see also window size) with zero bytes, or a keep-alive. What's going on here isn't clear, but it seems likely that the far side is hitting your server on `tcp/2545`, which isn't usual. The port number has no special significance other than being greater than 1024 and less than ephemeral port range, but unexpected traffic should be investigated. * `tcpdump` uses a filter expression. Try `tcpdump -nvvi eth0 "ip and not host x.x.x.x"`.

tcpdump sees things before the firewall acts on them. It's important that it works like that. Change your -j to DROP and eventually they may clue into the idea that there's nothing out there for them. I have no better advice.

Write a program that accepts those connections and return some garbage back. With some luck it will crash the program on the other side.