Clist wrote:
Hi list,
It is needed to do '-j NOTRACK' in order to avoid conntracking for some
packets, or i can simply DROP packets on the raw table so they do not reach
other netfilter tables and so it is not conntracking for those packets..?
Now and simply do
*raw
-A PREROUTING <some criteria> -j DROP
do i need to do
-A PREROUTING <some criteria> -j NOTRACK
-A PREROUTING <some criteria> -j DROP
Thanks...
conntrack only keeps track of connections, it does absolutely nothing
to your firewall rules, it's up to you to decide what to do with the
connection states in your rules. At some point you have a rule that is
similar to --state established,related -j ACCEPT, that's where you are
allowing packets through because they are in conntrack, if you want to
eliminate some packets regardless of state then just do so before you
hit the rule.
