ratheesh k a écrit : >>>> On Mon, Mar 22, 2010 at 10:42 PM, Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> wrote >> Window and sequence number tracking has been included in TCP connection >> tracking since kernel 2.6.9, making out-of-window segments INVALID. > > Beautiful ... > So this packet will be rejected by > iptables -A FORWARD -m state --state INVALID -j DROP rule ?? Actually not in your masquerading setup : INVALID packets skip NAT (which is good enough a reason to DROP them in a NAT setup, in order to prevent private addresses from leaking outside), so the packet won't be demasqueraded and will fall into the INPUT chain instead of the FORWARD chain. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
