Am 17.06.23 um 05:22 schrieb public1020:
I have a simple nat configuration to forward certain access to a gateway: iptables -t nat -A PREROUTING -p tcp -m set --match-set http_port dst,dst -j DNAT --to-destination XXX:80 iptables -t nat -A POSTROUTING -j MASQUERADE Can I do that without nat? Just trying to avoid the "conntrack table full" issue. Is there a non-stateful solution?
conntrack don't depend on NAT at all but nearly any useful setup depends on conntrack
i can't think of a useful ruleset without RELATED,ESTABLISHED rules and ctstate *is* conntrack
in other words: without explicit "CT notrack" in the RAW-table there is *always* conntrack
fix your config instead trying to work aorund it [root@firewall:~]$ cat /etc/modprobe.d/iptables-conntrack.conf options nf_conntrack hashsize=524288 expect_hashsize=2048
