On Monday 20 June 2005 14:30, Sven-Haegar Koch wrote:
> On Mon, 20 Jun 2005, terry l. ridder wrote:
> You are filtering in the nat table.
> The nat table gets only the first packet from each connection (the
> one that would match -m state --state NEW). A retransmit from the
> blocked IP will not be a new connection, so it will pass through your
> rules.
>
> And on your comment to another mail that you are not using connection
> tracking:
> This is wrong. If you have the nat table, you must have ip_conntrack
> loaded - and if its loaded it tracks your connections, even if you
> dont use -m state at all. There is no iptables nat without connection
> tracking.
TY for that. I didn't know all that, although I did suspect that NAT
relied on ip_conntrack. "man iptables" doesn't say that directly (if
so, I missed it), but it does imply it.
nat:
This table is consulted when a packet that creates a new
connection is encountered. ...
This also applies in another thread today, "Re: using NetFilter to
share the SAME SINGLE IP between a Linux router AND a computer
simultaneously".
Anyway, what DOES happen in the case that there is no ip_conntrack?
Would not every packet appear to the kernel as a new connection?
> If you must filter in PREROUTING, do it at least in PREROUTING of the
> filter table.
Alas, there is no such chain (built-in.) :)
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
