On Friday 2010-11-05 10:21, Husnu Demir wrote: >Hi, > >I am using conntrack module for a while. As suggested configuration I do add ; > > >-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >-A FORWARD -m conntrack --ctstate INVALID -j DROP > >At the top of the configuration. After that I added the drop rule as; > >-A FORWARD -i eth0 -o eth1 -m set --match-set STOPALL src -j DROP > >I added an IP address, >174.142.179.235 a SPAMMER, to stop its communication. But it did no stop. How are you determining this? >I wrote "drop everything from STOPALL list", but the connection is not dropped. It drops packets, not connections. >If >I wrote the the DROP statement above the 1st rule, it will drop all the >connection. What is wrong? Perhaps nothing. You clearly accept established connections first, so only new ones will be ignored. It does not change existing ones. >I do not want to write DROP statement to the top? Do you? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
