В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет: > Hi, > For a while now I excluded two IPs on my firewall from connection tracking > which works very well. Now I tried adding another IP but that doesn't seem > to work. I added the following rules: > > iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK > iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK > > Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using > up most of the entries. > Is there something else that needs to be done to exclude this IP completely > from the connection tracking table? Probably conntrack has seen packets from this IP before you added those rules, they will remain until connection is "closed" and/or timeout occurs. Quick hack is to do "conntrack -F; conntrack -F expect". -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
