Am 08.07.19 um 22:05 schrieb Will Storey: > On Mon 2019-07-08 21:07:16 +0200, Reindl Harald wrote: >> Am 08.07.19 um 20:43 schrieb Florian Westphal: >>>> Another thing I'm wondering is whether this rule could be impacting >>>> connections beyond lo, but I just don't know about it. >>> >>> NORACK? If you restrict it via -i lo / -o lo, then no, it won't affect >>> anything else. >>> >>> NAT for such connections won't work but thats normally not an issue >>> in the loopback case. >> >> i think the question was if "iptables -t mangle -A PREROUTING -p all -m >> conntrack --ctstate INVALID -j DROP" also breaks things beyond the "lo" >> interface which it shouldn't and don't appear to, but who knows >> >> it shouldn't break anything at all, also not on "lo" > > Right, sorry, I was wondering about the INVALID rule given it would still > be applied to non-lo traffic. > >> if you wan't to reproduce this setup SSH-forwarding to a VNC server, let >> the VNC window in the background and after a realtive short amount of >> time the tunneled connection with tigervnc-1.9.0-3.fc29.x86_64 just >> freezes with the last picture > > That is concerning if it's the same issue! it is, th eversion with "! -i lo" has no problem iptables -t mangle -A PREROUTING -p all -m conntrack --ctstate INVALID -j DROP iptables -t mangle -A PREROUTING -p all -m conntrack --ctstate INVALID ! -i lo -j DROP -t mangle for DROP rules because you don't need to write the same rules in INPUT and FORWARD and it skips NAT / routing decision while you still can have your EST/RELATED quick path on top
