>> thanks >> but i m a student so i want to caputure the concept also. so please >> tell me the mystery or tell me about any tutorial about it. Just an extra step, if you flush your rules and established connections still work, this could be because you are using SNAT to connec tto the internet, no? Conntrack saved entries know how to NAT to and from the source to the destination because it is stored inside the conntrack table entry. /proc/net/ip_conntrack is a list of the active sessions. When you flush the NAT table, any new connections won't NAT properly because you have removed the rule. Existing connections will already know how to NAT the connection because its stored elsewhere. This is the wrong way to deal with dynamic table closures. What you want is a filter chain that explicitly drops unwanted sessions. Eventually the sessions will timeout on their own. I haven't used them, but there are also tools which can generate FIN/RST's on TCP connections which basically causes a graceful shutdown of the line.
