hello; reply below. On 6/20/05, Sven-Haegar Koch <haegar@xxxxxxxxx> wrote: > On Mon, 20 Jun 2005, terry l. ridder wrote: > > >>> one example of the leak is below: > >>> > >>> 200.0.0.0/8 is dropped if the destination port is 25 (smtp). > >> > >> iptables-save(8) output, please. What you posted here doesn't tell us > >> much. > >> > > > > while i have reservations concerning posting the output of iptables-save > > i have placed it on my web server: > > > > http://204.238.34.206/iptables-save-20jun2005.txt > > You are filtering in the nat table. > yes, i am. > The nat table gets only the first packet from each connection (the one > that would match -m state --state NEW). > that is incorrect. the nat table is getting all packets. > > A retransmit from the blocked IP will not be a new connection, > so it will pass through your rules. > again this is incorrect. > > And on your comment to another mail that you are not using connection > tracking: > This is wrong. If you have the nat table, you must have ip_conntrack > loaded - and if its loaded it tracks your connections, even if you > dont use -m state at all. There is no iptables nat without connection > tracking. > i may have been looking at the wrong window, i will check on that. > > If you must filter in PREROUTING, do it at least in PREROUTING of the > filter table. > why? > > c'ya > sven > -- terry l. ridder ><>
