On Mon, 20 Jun 2005, terry l. ridder wrote:
one example of the leak is below:
200.0.0.0/8 is dropped if the destination port is 25 (smtp).
iptables-save(8) output, please. What you posted here doesn't tell us
much.
while i have reservations concerning posting the output of iptables-save
i have placed it on my web server:
http://204.238.34.206/iptables-save-20jun2005.txt
You are filtering in the nat table.
The nat table gets only the first packet from each connection (the one
that would match -m state --state NEW). A retransmit from the blocked IP
will not be a new connection, so it will pass through your rules.
And on your comment to another mail that you are not using connection
tracking:
This is wrong. If you have the nat table, you must have ip_conntrack
loaded - and if its loaded it tracks your connections, even if you
dont use -m state at all. There is no iptables nat without connection
tracking.
If you must filter in PREROUTING, do it at least in PREROUTING of the
filter table.
c'ya
sven
--
The Internet treats censorship as a routing problem, and routes around it.
(John Gilmore on http://www.cygnus.com/~gnu/)
