Doesn't the policy change to ACCEPT after you flush the rules? Try an iptables -L -v -n after doing iptables -F and see what the default policy says. - Greg Scott -----Original Message----- From: lartc-bounces@xxxxxxxxxxxxxxx [mailto:lartc-bounces@xxxxxxxxxxxxxxx] On Behalf Of Ethy H. Brito Sent: Thursday, January 26, 2006 8:09 AM To: lartc@xxxxxxxxxxxxxxx Subject: nat table remenbering nat's Dear All Why NAT rules stays valid even if I flush nat anf table chains?? I have: iptables -P FORWARD DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s SOME_IP -d SOME_BCP_5_IP --dport 1234 -j ACCEPT iptables -i nat -A PREROUTING -s SOME_IP -d MY_INTERNET_IP \\ --dport 1234 -j DNAT --to-destination SOME_BCP_5_IP The conection is established and the data is flowing normaly. Suddenly I decide to not authorize this data flow anymore. So I iptables -t nat -F PREROUTING iptables -F FORWARD For my surprise the data flow (observed with tcpdump) is still there! It is like the state machine does not let go this data flow. What to do to block this data flow?? Is there any way to flush the conntrack database? Regards -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
