Mart Frauenlob a écrit : > On 29.07.2010 13:21, Jan Engelhardt wrote: >> >> # iptables -I INPUT -p tcp --dport 23 -j DROP >> # conntrack -E& telnet localhost 23 >> [1] 6949 >> Trying ::1... >> telnet: connect to address ::1: Connection refused > > refused? on DROP? > my nc does show a timeout. That's the IPv6 connection attempt. The Telnet server does not appear to listen on IPv6, so the connection is refused. >> Trying 127.0.0.1... >> [NEW] tcp 6 120 SYN_SENT src=127.0.0.1 dst=127.0.0.1 >> sport=59734 dport=23 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=23 >> dport=59734 >> >> ...seconds later... >> # conntrack -L | grep =23 >> conntrack v0.9.14 (conntrack-tools): 12 flow entries have been shown. >> tcp 6 97 SYN_SENT src=127.0.0.1 dst=127.0.0.1 sport=59734 >> dport=23 packets=1 bytes=60 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 >> sport=23 dport=59734 packets=0 bytes=0 mark=0 secmark=0 use=2 >> >> 2 minutes it is. That's because it is a locally generated connection, so the conntrack confirm takes place after POSTROUTING. Even though the packet is dropped in INPUT after it is looped back, the conntrack entry is already confirmed. Now try again with the DROP rule in OUTPUT, or from a remote host. > oh, well exactly what I did. Probably not exactly. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html