Hey,
On 2015-06-24 23:57, Pascal Hambourg wrote:
Christian Ruppert a écrit :
On 2015-06-23 23:33, Pascal Hambourg wrote:
Christian Ruppert a écrit :
iptables -t raw -I PREROUTING -p tcp -m tcp --syn -j CT --notrack
This rule disables connection tracking which is required for stateful
NAT operation.
Thanks! From what I've seen/read, this rule is required or am I wrong?
AFAIK it's not strictly required for SYNPROXY operation. It just saves
connection tracking resources.
I tried some different setups but somehow I don't get it working.
So if we keep using the "sysctl -w
net.netfilter.nf_conntrack_tcp_loose=0"
Which is still being used by:
iptables -I INPUT -p tcp -m tcp -m conntrack --ctstate INVALID -j
SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
I thought I could just avoid that --notrack rule and therefor do
something like:
iptables -I INPUT -p tcp -m tcp --syn -j SYNPROXY --sack-perm
--timestamp --wscale 7 --mss 1460
But that doesn't work (neither new nor established connections work,
default INPUT is DROP btw.). What's the difference here between the
raw/PREROUTING rule that basically just marks it as untracked so it can
be passed to the extension in the filter table and just doing "--syn -j
SYNPROXY ..." in the filter table? Does the "--notrack" one actually
more?
I need to keep the NAT/redirect functionality while using the SYNPROXY
extension.
--
Regards,
Christian Ruppert
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
