On Mon, 10 Oct 2005, Marek Zachara wrote:
On Monday 10 of October 2005 00:02, you wrote:
On Fri, 7 Oct 2005, Marek Zachara wrote:
Well, the router startup procedure is like this:
1) boot up core system (eth0 built-in kernel and enabled as the router
root is on nfs via eth0)
2) set up iptables rules
3) bring up eth1
Try adding rules before eth0 is set up, rejecting all traffic except the
traffic you need for booting until the real rules is loaded later on.
I did try. However even adding blocking (-p udp -j DROP) at PREROUTING and
keeping such rule for 5 min doesn't clean the conntrack - somehow the entry
is 'sustained' with the incoming packets even if they are being dropped early
in the chain.
Packets in PREROUTING in the forward table have already been seen by
conntrack. You need to drop in the raw table if you want to prevent
tracking.
Alexey
