A seguinte regra iptables descarta ACKs do host A:
iptables -A INPUT -s ip.of.host.a/32 --protocol tcp --tcp-flags ACK ACK -j DROP
--tcp-flags está documentado na página man do iptables-extensions :
[!] --tcp-flags mask comp Match when the TCP flags are as specified. The first argument mask is the flags which we should examine, written as a comma-separated list, and the second argument comp is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.