Patrick McHardy wrote: > Thomas Bätzler wrote: > > iptables -t nat -A PREROUTING -m state --state INVALID \ > > -j LOG > > iptables -t nat -A PREROUTING -m state --state INVALID \ > > -j DROP > > These rules need to go in mangle, that nat table is only > traversed for the first packet of a connection. I've changed my ruleset as you suggested, and now I'm seeing packets being filtered. I'll wait and see how that's affecting stability and throughput of the connection. In any case I'm wondering why netfilter doesn't consider these packets to be part of a connection. Is there a known problem with netfilter and TCP SACK? Or did I miss something while looking at the rejected packets? I've enabled logging via ulogd now and have a look at what's being filtered now. In the meantime thanks a lot for your help! Cheers, Thomas -- BRINGE Informationstechnik GmbH Zur Seeplatte 12 D-76228 Karlsruhe Germany Fon: +49 721 94246-0 Fon: +49 171 5438457 Fax: +49 721 94246-66 Web: http://www.bringe.de/ Geschäftsführer: Dipl.-Ing. (FH) Martin Bringe Ust.Id: DE812936645, HRB 108943 Mannheim -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
