First of all thanks for your answer.
Cedric Blancher wrote:
[...]However, you can use raw table that is available in patch-o-matic. This will imply iptables and kernel compilation. raw table is prior to conntrack subsystem and allows you to choose wether a packet has to go through conntrack or not, using NOTRACK target :
iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 \ -j NOTRACK
Thanks for the tip, I think this will do. We already use a bunch of the pom-patches, and if I remember correctly the RAW-patch has already been applied.
Note that if you do not conntrack a connection, you loose all conntrack capabilities such as ICMP errors handling, helpers and NAT (as Netfilter's NAT relies on conntrack).
Just to be sure: it will still be possible to use conntrack for traffic that it targeted to the router itself, while pushing forwarded traffic through the router without connection traffic. Correct?
Bye, Mike
