On Wed, 2002-11-13 at 14:34, Doug Watson wrote: > If there really is a bug in ip_conntrack > that makes me unfortunately skiddish about > continuing on with netfilter/iptables as a > viable solution for my company. Yet it seems > like many people have implemented this and have > not seen these types of problems. Agreed. I finally solved my problem which was due to me not allowing ICMP packets to sent out the OUTPUT chain for established connections that where being forwarded. My bad, *not* a conntrack problem, it just seemed that way at the time. > I have run the script that you sent me several times. > Attached is a sample output from it. I don't believe that > I am seeing anything too strange, but I do have 1 question. > in the following line which you will see in the attached file > what does the (policy ACCEPT 4 packets, 284 bytes) mean? > Chain OUTPUT (policy ACCEPT 4 packets, 284 bytes) Your attachment seems to of been filtered out. The policy lines mean that no rules in the chain matched and therefor the default policy took effect. It is usually recommended to have a default DROP policy if your being paranoid and explicitly allow the connections you want to come through. However as I learnt the hard way you have to make sure the related traffic is also allowed through. The ICMP packet that bit me was due to fragmentation being required but not possible on the gateway, probably a symptom of the fact my two interfaces (ppp and eth) had different MTU's. > Is that the total number of packets to traverse the OUTPUT > chain or it he number of packets ACCEPTED by the policy for the > OUTPUT chain? Or something else? Just the packets that defaulted to the policy, the other counts will be against each rule itself. -- Alex http://www.bennee.com/~alex/
