On 11/05/2010 01:12 PM, Jan Engelhardt wrote: > > On Friday 2010-11-05 10:21, Husnu Demir wrote: >> Hi, >> >> I am using conntrack module for a while. As suggested configuration I do add ; >> >> >> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >> -A FORWARD -m conntrack --ctstate INVALID -j DROP >> >> At the top of the configuration. After that I added the drop rule as; >> >> -A FORWARD -i eth0 -o eth1 -m set --match-set STOPALL src -j DROP >> >> I added an IP address, >> 174.142.179.235 a SPAMMER, to stop its communication. But it did no stop. > > How are you determining this? In fact this address collecting passwords from a hacked site and I want tot stop it. It is an HTTP connection. And If I put this IP to the list I coud connect the web site. But if I put the rule above the first rule I could not connect. http://www.formchamp.com/form.php?id=1120 is the actual SCAM site. > >> I wrote "drop everything from STOPALL list", but the connection is not dropped. > > It drops packets, not connections. But if it cannot send any packets how a connection can be established? > >> If >> I wrote the the DROP statement above the 1st rule, it will drop all the >> connection. What is wrong? > > Perhaps nothing. You clearly accept established connections first, > so only new ones will be ignored. It does not change existing ones. > >> I do not want to write DROP statement to the top? > > Do you? In fact my all drop statements are at the top accept first one. I had some different issues when I wrote it below. It seems better for me to keep it at the top. Perpahps I should re-consider it. thanks. hdemir.
begin:vcard fn:Husnu Demir n:Demir;Husnu email;internet:hdemir@xxxxxxxxxxx tel;work:+903122103330 tel;fax:+903122103303 x-mozilla-html:FALSE version:2.1 end:vcard
