Christian Ruppert a écrit : > > I noticed that neither *NAT nor redirects will work when using the > SYNPROXY module with e.g. those settings: > net.netfilter.nf_conntrack_tcp_loose=0 > sysctl -w net.ipv4.tcp_syncookies=1 > sysctl -w net.netfilter.nf_conntrack_tcp_loose=0 > sysctl -w net.ipv4.tcp_timestamps=1 > > iptables -t raw -I PREROUTING -p tcp -m tcp --syn -j CT --notrack This rule disables connection tracking which is required for stateful NAT operation. > iptables -I INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED > -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 > iptables -A INPUT -m conntrack --ctstate INVALID -j DROP -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
