On Mon, 26 Apr 2004, Mike Andersen wrote: > iptables -A FORWARD -m conntrack --ctorigdst <int_ip> -j ACCEPT > iptables -A FORWARD -j DROP Works here.. > I then look more closely at the state table (/proc/net/ip_conntrack) > and see that there are two sets of source definition, and two sets for > the destination: One is the ORIGINAL direction, the other the REPLY direction. Each is matched independently by the "conntrack" match (--ctorigdst vs --ctreplydst). > Any idea of why the "-m conntrack --ctorigdst <int_ip>" also passes > through traffic where int_ip is the source of the session? Does work like intended here and only matches where it is the original destination. But I am using this for packet filtering, not mirroring. Not that I see any difference. Also I am using an extended version of the conntrack match which can match additional deatils such as ports etc, based on the conntrack match found in patch-o-matic-ng. (see netfilter-devel discussions some many months ago).. but that should not make any difference either. Regards Henrik
