Le ven 31/10/2003 à 11:47, Michael Renzmann a écrit : > First of all thanks for your answer. You're welcome ;) > > Note that if you do not conntrack a connection, you loose all conntrack > > capabilities such as ICMP errors handling, helpers and NAT (as > > Netfilter's NAT relies on conntrack). > Just to be sure: it will still be possible to use conntrack for traffic > that it targeted to the router itself, while pushing forwarded traffic > through the router without connection traffic. Correct? You're able to do anything you want, as you have to explicitly implement which traffic you do not want to track. Suppose your local IP is A.B.C.D, then doing something like this should do the trick : iptables -t raw -A PREROUTING -d ! A.B.C.D -j NOTRACK Do this to exclude all traffic destined to local box. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
