On Tue, 26 Jan 2010, Dennis J. wrote: > For a while now I excluded two IPs on my firewall from connection tracking > which works very well. Now I tried adding another IP but that doesn't seem to > work. I added the following rules: > > iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK > iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK > > Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using up > most of the entries. Did you add those rules to a running system? Then you see the already existing connections in /proc/net/ip_conntrack. The NOTRACK target does not terminate existing connections. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
