|
|
|
Re: NOTRACK not working | |
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] | |
On 01/26/2010 09:35 PM, Покотиленко Костик wrote:
В Вто, 26/01/2010 в 21:15 +0100, Dennis J. пишет:On 01/26/2010 07:49 PM, Покотиленко Костик wrote:В Вто, 26/01/2010 в 19:38 +0100, Dennis J. пишет:Hi, For a while now I excluded two IPs on my firewall from connection tracking which works very well. Now I tried adding another IP but that doesn't seem to work. I added the following rules: iptables -t raw -A PREROUTING -s 192.168.10.10 -j NOTRACK iptables -t raw -A PREROUTING -d 192.168.10.10 -j NOTRACK Yet when I look in /proc/net/ip_conntrack I still see 192.168.10.10 using up most of the entries. Is there something else that needs to be done to exclude this IP completely from the connection tracking table?Probably conntrack has seen packets from this IP before you added those rules, they will remain until connection is "closed" and/or timeout occurs. Quick hack is to do "conntrack -F; conntrack -F expect".Makes sense. Where can I find the conntrack command? This is a regular centos 5 system but I can't find any packages that contain this command.In Debian this is in "conntrack" package. I'm not centos user, but you will propably find a way to see which package contains a certain file on centos website.
I didn't find the required packages but rebuilding them from the fedora versions was easy. After installing I was able to clear the table as described. Thanks!
Regards, Dennis -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development] [Linux Kernel Development] [TCP/IP Books] [Linux Resources] [LARTC] [Home] [Bugtraq] [Consulting] [Free Internet Dating] [Yosemite Forum] [Photo]
|
|