Cliff Stanford a écrit :
Pascal Hambourg wrote:
A possible explanation may be the following.
The remote box sends a continuous stream of UDP packets. The first
packet was received before the ruleset was installed but after the
conntrack was loaded, so a conntrack entry was created with no NAT, and
does not expire because of the continuous stream.
Thank you! You hit the nail right on the head!
Clear the conntrack table by any means and see what happens.
I cleared it with conntrack -F and you were absolutely right. It's now
working as expected.
In order to avoid this, the iptables ruleset must preferably be
installed before the network interfaces are UP and some traffic is sent
or received.
I knew it had to be my naivety but I couldn't see
what I was doing wrong.
It has nothing to do with naivety. Your ruleset was correct. I believe
this kind of problem requires fair knowledge and understanding of how
Netfilter performs connection tracking and its side effects. Fortunately
you provided enough information, which not everyone does all the time.
Out of interest, I can't seem to find a syntax that conntrack -D likes;
is there a tutorial for it anywhere or any docs better than the man page?
I have never used conntrack and cannot help you on this, sorry.
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
