Hello Ming, I thought you could do connection tracking per port for example if you where forwarding / allowing out http and ssh but then wanted to block SSH. At first you would have: iptables -A forward -i eth1 -o eth0 -s internalnetwork -p tcp --dport 80 -match state --state ESTABLISHED,NEW -j ACCEPT iptables -A forward -i eth1 -o eth0 -s internalnetwork -p tcp --dport 22 -match state --state ESTABLISHED,NEW -j ACCEPT Would allow port 80 and port 22 new or established connections, then if you removed the rule for port 22 and had a default policy of deny then SSH connections should be dropped. Michael. On Wed, 12 May 2004 13:42:03 -0400 (EDT) fming@xxxxxxxxxxxxxx wrote: > Hi, > > I am from the FreeBSD/ipfilter world. I recently switched to Linux and > netfilter. One question I have with netfilter connection tracking is whether > there I can instruct the connection tracking to selectively tracking > connections. > > Looks to me once I loaded the conn_track modules, everything was tracked. Is > there a way I can specify, for example, that I only want http to be tracked? > All other traffic will be dropped anyway, tracked or not. > > Regards, > Ming > > > > > -- Michael Gale Network Administrator Utilitran Corporation
