|
|
|
Re: NOTRACK not working | |
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] | |
В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет: > Hi, > For a while now I excluded two IPs on my firewall from connection tracking > which works very well. Now I tried adding another IP but that doesn't seem > to work. I added the following rules: > > iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK > iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK > > Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using > up most of the entries. > Is there something else that needs to be done to exclude this IP completely > from the connection tracking table? Probably conntrack has seen packets from this IP before you added those rules, they will remain until connection is "closed" and/or timeout occurs. Quick hack is to do "conntrack -F; conntrack -F expect". -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development] [Linux Kernel Development] [TCP/IP Books] [Linux Resources] [LARTC] [Home] [Bugtraq] [Consulting] [Free Internet Dating] [Yosemite Forum] [Photo]
|
|