On 01/26/2010 07:49 PM, Покотиленко Костик wrote:
В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет:
Hi,
For a while now I excluded two IPs on my firewall from connection tracking
which works very well. Now I tried adding another IP but that doesn't seem
to work. I added the following rules:
iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using
up most of the entries.
Is there something else that needs to be done to exclude this IP completely
from the connection tracking table?
Probably conntrack has seen packets from this IP before you added those
rules, they will remain until connection is "closed" and/or timeout
occurs. Quick hack is to do "conntrack -F; conntrack -F expect".
Makes sense. Where can I find the conntrack command? This is a regular
centos 5 system but I can't find any packages that contain this command.
Regards,
Dennis
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
