On Fri, 7 Oct 2005, Marek Zachara wrote:
As a workaround, is there a way to manually clean up conntrack table
There is two methods a) Unloading the ip_conntrack module b) Using the newly released conntrack tools (requires kernel support).
i'd put it in the boot scripts to assure such problems doesn't happen again. I know i can put a iptable rule to block all incoming UDP traffic for 3 minutes after boot-up (so the entries get cleaned), but this makes the router useless for these 3 minutes ...
The entry SHOULD NOT appear in conntrack until there is a route of some kind for the destination.
Unless you are dependent on dynamic address information on eth1 you could load your whole iptables ruleset before any of the networking is started. Or at least make sure ip_conntrack is not loaded before the NAT rules are created.
Regards Henrik
