On Monday 28 October 2002 5:32 am, yenjet.chan@eglobal.com.my wrote: > Hi all, > > This is my first post to the list, so please bare with me. > I have a requirement here. Is there possible to create a purely NAT > iptables rules for certain IP addresses? No. You can turn off stateful inspection by not loading or compiling the connection tracking support, but you cannot use it for some addresses but not others. > What I means here is I want to enable stateful filtering for most of the > all of the users except certain IP address/subnet. Stateful filtering is > good sometime, bu not all the time, when you really want to do portscaning > activities from a machine that sit behind the firewall. How much memory is in the netfilter machine / what size is your conntrack table / how many connections are you generating with your portscans for this to be a problem ? Maybe it would help if you compile conntrack as a module and then you can unload it when you want to empty the connection tracking table ? (This will unload *all* the entries at the same time, though). Antony. -- The first ninety percent of an engineering project takes ninety percent of the time, and the last ten percent takes the remaining ninety percent.
