Re: nat table remenbering nat's

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 26 Jan 2006 08:22:51 -0600
"Greg Scott" <GregScott@xxxxxxxxxxxxxxxxxxx> wrote:

> Doesn't the policy change to ACCEPT after you flush the rules?  Try an
> iptables -L -v -n after doing iptables -F and see what the default
> policy says.

Yes it does. It changes to ACCEPT in all chains.

So you are saying that I cannot stop the pre-established data flow because it
will keep flowing because the default policy changed to ACCEPT updating the
timout timer? But I flushed nat table. This should kill all conntrack entries
related to the rules on this table.

Ethy


> 
> - Greg Scott
>  
> 
> -----Original Message-----
> From: lartc-bounces@xxxxxxxxxxxxxxx
> [mailto:lartc-bounces@xxxxxxxxxxxxxxx] On Behalf Of Ethy H. Brito
> Sent: Thursday, January 26, 2006 8:09 AM
> To: lartc@xxxxxxxxxxxxxxx
> Subject:  nat table remenbering nat's
> 
> 
> Dear All
> 
> Why NAT rules stays valid even if I flush nat anf table chains?? 
> 
> I have:
> 
> iptables -P FORWARD DROP
> iptables -A FORWARD  -m state --state ESTABLISHED,RELATED  -j ACCEPT
> iptables -A FORWARD -s SOME_IP -d SOME_BCP_5_IP --dport 1234 -j ACCEPT
> iptables -i nat -A PREROUTING -s SOME_IP -d MY_INTERNET_IP \\
>           --dport 1234 -j DNAT --to-destination SOME_BCP_5_IP
> 
> The conection is established and the data is flowing normaly.
> Suddenly I decide to not authorize this data flow anymore. So I
> 
> iptables -t nat -F PREROUTING
> iptables -F FORWARD
> 
> For my surprise the data flow (observed with tcpdump) is still there!
> It is like the state machine does not let go this data flow.
> 
> What to do to block this data flow??
> Is there any way to flush the conntrack database?
> 
> Regards
> 
> -- 
> 
> Ethy H. Brito         /"\
> InterNexo Ltda.       \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
> +55 (12) 3941-6860     X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
> S.J.Campos - Brasil   / \ 
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


-- 

Ethy H. Brito         /"\
InterNexo Ltda.       \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860     X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil   / \ 
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux