Unless you're using NAT, you shouldnt need ip_conntrack Just use a simple rule such as: $IPT -A FORWARD -d 2.2.2.0/24 -p tcp --syn -j DROP $IPT -A FORWARD -d 2.2.2.0/24 -p udp -j DROP This will allow traffic back in to connections established from 2.2.2.0/24 but now allow external connections to establish any _new_ connections to 2.2.2.0/24 > Our mission: > > To only allow FORWARD traffic coming from a trusted NIC or subnet out to the > internet, while not letting any traffic at ALL back into that trusted NIC or > SUBNET UNLESS it was initiated from within. > > So, we want 2.2.2.0/24 to be able to initiate any connections they want, and > get the response it needs back, but we want no connections to be able to > come in ( i.e. those annoying windows msg popup ads spammers are using, worm > problems, icmp probes, etc ). > > I've read up and understand somewhat, but can't seem to figure out how to > deal with this in/out issue and not using connection tracking. > > Thanks! > >
