On 01/26/2010 09:35 PM, Покотиленко Костик wrote:
В Вто, 26/01/2010 в 21:15 +0100, Dennis J. пишет:
On 01/26/2010 07:49 PM, Покотиленко Костик wrote:
В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет:
Hi,
For a while now I excluded two IPs on my firewall from connection tracking
which works very well. Now I tried adding another IP but that doesn't seem
to work. I added the following rules:
iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK
iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK
Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using
up most of the entries.
Is there something else that needs to be done to exclude this IP completely
from the connection tracking table?
Probably conntrack has seen packets from this IP before you added those
rules, they will remain until connection is "closed" and/or timeout
occurs. Quick hack is to do "conntrack -F; conntrack -F expect".
Makes sense. Where can I find the conntrack command? This is a regular
centos 5 system but I can't find any packages that contain this command.
In Debian this is in "conntrack" package. I'm not centos user, but you
will propably find a way to see which package contains a certain file on
centos website.
I didn't find the required packages but rebuilding them from the fedora
versions was easy. After installing I was able to clear the table as
described. Thanks!
Regards,
Dennis
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
