Re: How to use DNAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

(sorry for top posting; Gmail mobile client can only reply by top posting)

If I flush the conntrack table, would the next packet be considered NEW?

Because AFAIK the nat table is checked only for NEW packets.

(That would also mean overly-secure rules like -A FORWARD -p tcp !
--syn -m state --state NEW -j DROP must be deleted, or temporarily
disabled)

Rgds,


On 2011-02-19, Atle Solbakken <atle@xxxxxxxxxxxxx> wrote:
>
>
> Den 18. feb. 2011 kl. 13.50 skrev Italo Valcy <italo@xxxxxxxxxxx>:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi guys,
>>
>> Em 17-02-2011 20:41, Pascal Hambourg escreveu:
>>>> Also, bear in mind that the nat table is only consulted for
>>>> packets with state NEW. If your UDP flow state transitions to
>>>> ESTABLISHED before your NAT rule is created, the new rule will
>>>> not be applied to that flow.
>>>
>>> Actually it is even stricter : the nat rules are consulted only for
>>> the
>>> first packet of a new flow ("connection"). The next packets skip
>>> the nat
>>> rules even when the flow does not transition to ESTABLISHED (when
>>> there
>>> is no packet in the reply direction).
>>
>> Yes, you are correct, but I didn't understand this behaviour. I
>> managed
>> to get the netflow traffic working again by stoping the netflow
>> device,
>> wainting about one minute and starting again. Almost sure its the
>> exact
>> explanation above. But, why this behavior???
>>
>> I think this problem starts happening when I restart the iptables
>> rules
>> and the traffic keeps going. Maybe in that moment, the packets does
>> not
>> pass to NAT table anymore. How can I fix it? Do you have any ideias
>> guys? I'm using the rules generated by fwbuilder to start/restart the
>> firewall.
>>
>
> You flush the conntrack table.
>
> # conntrack -F
>
>
> Atle.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


-- 
--
Pandu E Poluan - IT Optimizer
My website: http://pandu.poluan.info/
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux