On Monday 10 of October 2005 00:02, you wrote: > On Fri, 7 Oct 2005, Marek Zachara wrote: > > Well, the router startup procedure is like this: > > 1) boot up core system (eth0 built-in kernel and enabled as the router > > root is on nfs via eth0) > > 2) set up iptables rules > > 3) bring up eth1 > > Try adding rules before eth0 is set up, rejecting all traffic except the > traffic you need for booting until the real rules is loaded later on. > I did try. However even adding blocking (-p udp -j DROP) at PREROUTING and keeping such rule for 5 min doesn't clean the conntrack - somehow the entry is 'sustained' with the incoming packets even if they are being dropped early in the chain. > > As of today I am fairly certain the issue is related to your configuration > and not a general problem. > Well as i wrote in another post, i have solved the problem by cleanning the contrack table from userspace after the rules are set up. However i think this is quite a serious problem - seems that if there is any traffic coming at any interface before the nat rules are set up, this can effectively disable certain SNAT rules and thus render some services unusable. This is a very attractive DoS opportunity. regards, Marek
