NAT/POSTROUTING rules doesn't match packets (SOLVED?)
Henrik Nordstrom
hno at marasystems.com
Mon Oct 10 00:06:19 CEST 2005
On Fri, 7 Oct 2005, Marek Zachara wrote:
> As a workaround, is there a way to manually clean up conntrack table
There is two methods
a) Unloading the ip_conntrack module
b) Using the newly released conntrack tools (requires kernel support).
> i'd put it in the boot scripts to assure such problems doesn't happen
> again. I know i can put a iptable rule to block all incoming UDP traffic
> for 3 minutes after boot-up (so the entries get cleaned), but this makes
> the router useless for these 3 minutes ...
The entry SHOULD NOT appear in conntrack until there is a route of some
kind for the destination.
Unless you are dependent on dynamic address information on eth1 you could
load your whole iptables ruleset before any of the networking is started.
Or at least make sure ip_conntrack is not loaded before the NAT rules are
created.
Regards
Henrik
More information about the netfilter
mailing list