On Mon, 2003-04-07 at 17:02, dhiraj.2.bhuyan@xxxxxx wrote: <snip rest> > but also in INPUT and POSTROUTING chain. What I find strange with this is > that for a packet that goes through the "FORWARD" chain, "conntrack" is done > twice on the same packet - first in the "PREROUTING" chain and second in the > "POSTROUTING" chain. Does anyone have any explanation for this? I think the first packet goes thru POSTROUTING, subsequent packets (after their routes determined) goes straight to FORWARD. > > 2. If a packet is found to belong to an already ESTABLISHED connection, does > it still have to go through the filter rules again? I would think so. You need to explicitly have "-m state --state ESTABLISHED, RELATED -j ACCEPT" to process those packets. My $0.02 *awaits flame galore* -- Vincent Lim <vincent.lim@xxxxxxxxxx> NESTAC Solution Sdn Bhd
