On Monday 28 October 2002 6:37 pm, Anthony Liu wrote: > On Mon, 28 Oct 2002 14:44:43 +0000 Antony Stone <Antony@Soft-Solutions.co.uk> wrote: > > On Monday 28 October 2002 5:32 am, yenjet.chan@eglobal.com.my wrote: > > > Hi all, > > > > > > This is my first post to the list, so please bare with me. > > > I have a requirement here. Is there possible to create a purely NAT > > > iptables rules for certain IP addresses? > > > > No. You can turn off stateful inspection by not loading or compiling > > the connection tracking support, but you cannot use it for some addresses > > but not others. > > Are you sure? By not using "-m state" it might actually work, how about: > iptables -A FORWARD -o ppp0 -s aaa.bbb.ccc.eee -j ACCEPT > iptables -A FORWARD -o ppp0 -s aaa.bbb.ccc.ddd -m state --state ! INVALID > -j ACCEPT This will allow you to create rules which do not refer to stateful inspection, agreed, but it doesn't stop netfilter from maintaining the connection tracking table for those connections. Since the original poster wanted to increase the efficiency of netfilter by avoiding the overhead of maintaining the connection tracking table, simply writing rules which do not use -m state doesn't help. Antony. -- The difference between theory and practice is that in theory there is no difference, whereas in practice there is.
