[LARTC] Re: iptables rule not matching after stream begins
Bob Beers
bob.beers at gmail.com
Tue Nov 21 17:05:23 CET 2006
On 11/21/06, Alexey Toptygin <alexeyt at freeshell.org> wrote:
> On Tue, 21 Nov 2006, Bob Beers wrote:
>
> > Let me try to restate my question:
> >
> > Is it a common problem that inserting a rule after a (UDP) stream is
> > established does not match the rule, even though the exact same
> > rule for the exact same stream does match, as long as it is inserted
> > before the first packet of the stream arrives?
>
> This is the way it is designed: PREROUTING rules in the nat table are only
> checked for packets that haven't already been assigned to a connection. If
> you want, you can use the conntrack tool to flush the connection states
> after you add a new rule.
Ah, yes, this sounds like what I need. Please excuse my ignorance, but
how does one "use the conntrack tool to flush the connection states
after you add a new rule"? I have read through several tutorials and
the iptables man pages, but did not yet find this particular gem. In
my ideal solution, I would flush only the connection in question, to
avoid any perturbance of other connections.
<after a little googling ...>
I guess you mean this:
<http://www.netfilter.org/projects/conntrack/index.html>
and/or this:
<http://www.netfilter.org/projects/libnetfilter_conntrack/index.html>
I will RTF documentation, now that I see it ...
But, I wonder, is there a shortcut to the behavior I want
through iptables --ctstatus and friends?
>
> Alexey
>
Thank you all very much for the hints so far.
Bob
More information about the LARTC
mailing list