Le lun 04/08/2003 à 09:49, Jean-Christian Imbeault a écrit : > Had a look and no errors were logged in that file. This file is not a log. This is your conntrack table. When it is full, packets that should have been spoted as NEW are INVALID because there's no place left to handle them. Afaik, INVALID for TCP means the packets is really fucked or an error occured during state matching. Could you post an iptables-save output for your INPUT chain so we can have a complete ruleset description ? > Also, is my rule overkill in the sense that specifying all three of NEW, > ESTABLISHED and RELATED states is not necessary. I could get away with > just NEW and RELATED? It is a bit redundant with previous rule that allows ESTABLISHED and RELATED packets, whatever source, destination and protocol they may have. So, ESTABLISHED HTTP packets to 203.179.86.66 would not reach your rule, being accepted by previous one. Moreover, RELATED is useless, as HTTP does not have related connections such as FTP or IRC. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
