Bug: iptables rules don't override connection tracking
Patrick Schaaf
bof@bof.de
Sun, 2 Dec 2001 17:20:48 +0100
On Sun, Dec 02, 2001 at 07:51:55AM -0800, Paul J. Lucas wrote:
> On Sun, 2 Dec 2001, Patrick Schaaf wrote:
>
> > You mean you insert a rule like
> >
> > iptables -I INPUT -p udp -m state --state ESTABLISHED -j DROP
> >
> > and it does not take effect?
>
> More like:
>
> iptables -t nat -A PREROUTING -s x.x.x.x --protocol udp --source-port 1234 --to-destination y.y.y.y:5678
This indeed influences only yet-untracked connections. The nat table is
only consulted when there's no conntrack matching the packet.
You use filter table rules, not nat table rules, to _police_ conntracked
and non-conntracked stuff.
I doubt there is a kernel bug involved; it's just that you try to do things
the system was not designed to do. Please learn more about how conntracking
works, and adjust your expectations and design accordingly.
If you want further assistance, it would be helpful if you could give
an example of what you are trying to accomplish.
best regards
Patrick