Hi, My prolem is I can't cut a established TCP connection through NAT. Detail: I have a Redhat linux 7.2 with default iptables(v1.2.3) installed. The box has two ethernet cards, eth0(61.139.69.7) direct connect to internet and eth1(192.168.0.1) is my intranet gateway. I used this rule for NAT : iptables -A POSTROUTING -o eth0 -j SNAT --to-source 61.139.69.7 and it worked fine.But for managment, I want to only allow authed client can use NAT to internet.So I wrote a simple CGI and added some rules for control NAT client. The default rules like this: iptables -t nat -A PREROUTING -d 192.168.0.1 -j ACCEPT iptables -t nat -A PREROUTING -s 192.168.0.1 -j ACCEPT iptables -t nat -A PREROUTING -d 61.139.69.7 -j ACCEPT iptables -t nat -A PREROUTING -s 61.139.69.7 -j ACCEPT iptables -t nat -P PREROUTING DROP When a client login correct, my CGI adds a rule: iptables -t nat -I PREROUTING -s <client_ip> -j ACCEPT So the client can use NAT now. And if I delete this rule, the client should not use NAT. But I found if a client established a TCP connection like telnet, when I delete the rule, the telnet connection is still active. eg.: The client 192.168.0.73 telnet to 61.139.69.11, then I delete its' nat rule, if 192.168.0.73 has not exit form the telnet, he can still use this telnet session.But he can't ping 61.139.69.11. Why? How can I realy cut the client NAT connection? Maybe my method to control NAT is stupid. Any advice is welcome. Thanks. -- -hanxin
Attachment:
signature.asc
Description: This is a digitally signed message part
