On Tue, 21 Jun 2005, terry l. ridder wrote: > > On 6/21/05, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > > On Mon, 20 Jun 2005, terry l. ridder wrote: > > > > > while i have reservations concerning posting the output of iptables-save > > > i have placed it on my web server: > > > > > > http://204.238.34.206/iptables-save-20jun2005.txt > > > > Thou salt not filter in the nat table. > > there is no good reason not to filter in the nat table. Your firewall setup is a perfect example why one should not filter in the nat table. Look at the packets which "leaked in": all of them TCP RST packets. According to the TCP connection tracking, a RST packet which belongs to no known connection will be marked as INVALID. Because it's a NEW INVALID packet, connection tracking drops the conntrack reference immediately. Consequently, as having no conntrack reference attached to the packet, the nat table skips processing it. And because you intentionally not filter in the filter table, the packets "leak in". Thou salt not filter in the nat table. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
