В Вто, 26/01/2010 в 21:15 +0100, Dennis J. пишет: > On 01/26/2010 07:49 PM, Покотиленко Костик wrote: > > В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет: > >> Hi, > >> For a while now I excluded two IPs on my firewall from connection tracking > >> which works very well. Now I tried adding another IP but that doesn't seem > >> to work. I added the following rules: > >> > >> iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK > >> iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK > >> > >> Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using > >> up most of the entries. > >> Is there something else that needs to be done to exclude this IP completely > >> from the connection tracking table? > > > > Probably conntrack has seen packets from this IP before you added those > > rules, they will remain until connection is "closed" and/or timeout > > occurs. Quick hack is to do "conntrack -F; conntrack -F expect". > > > > Makes sense. Where can I find the conntrack command? This is a regular > centos 5 system but I can't find any packages that contain this command. In Debian this is in "conntrack" package. I'm not centos user, but you will propably find a way to see which package contains a certain file on centos website. -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
