On Friday 18 April 2008 12:23, Masry Alex wrote:
> #that's what the mentioned article suggested..I'm not sure it's working!
> *raw
> -A PREROUTING -p tcp -m tcp --dport 80 -j NOTRACK
Do you have a chain called NOTRACK? What is setup under it?
> COMMIT
> *filter
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p icmp --icmp-type any -j ACCEPT
> #no tracking needed for this
> -A INPUT -p tcp --dport 80 -j ACCEPT
> #that would be another question but I can't get rid of this while using
> ssh tunneling
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
OK, here is your problem. The above line should be the first line in your
INPUT statement. IPTABLES reads top down so it executes the rules in the
order they are placed. Since you have '--dport 80' rule before the
'ESTABLISHED,RELATED' rule it add the address to the conntrack. Every packet
is being added to the conntrack making a bunch of tracking tracking the same
host. If 'ESTABLISHED,RELATED' were first it would check to see if the host
has already connected and allow them to continue to connect without adding
then to the tracking table every time a packet comes.
You want 'ESTABLISHED,RELATED first in all your rule chains. There is a way
around this if you want '--dport 80' before the 'ESTABLISHED,RELATED' and
that would be like this:
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
Your rules are a mix of Stateful and Non-Stateful chose one or the other.
Preferable Stateful.
--
Regards
Robert
Smile... it increases your face value!
Linux User #296285
http://counter.li.org
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
