>>> On Mon, Mar 22, 2010 at 10:42 PM, Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> wrote > Window and sequence number tracking has been included in TCP connection > tracking since kernel 2.6.9, making out-of-window segments INVALID. Beautiful ... So this packet will be rejected by iptables -A FORWARD -m state --state INVALID -j DROP rule ?? Thanks, RAtheesh On Mon, Mar 22, 2010 at 11:09 PM, Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> wrote: > ratheesh k a écrit : >>> On Mon, Mar 22, 2010 at 10:42 PM, Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> wrote: >>> If a crafted packet matches all the characteristics of the conntrack >>> entry for that connection (including reply source port 80, TCP sequence >>> number), then it will be considered belonging to the reply direction of >>> that connection and the NAT will process it accordingly. >> >> i thought , only a tuple of ip and port is kept for connection >> tracking ( not tcp sequence ) . > > Window and sequence number tracking has been included in TCP connection > tracking since kernel 2.6.9, making out-of-window segments INVALID. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
