From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-2?Q?G=E1sp=E1r_Lajos?= Subject: Re: Default deny rule Date: Wed, 30 May 2007 12:25:07 +0200 Message-ID: <465D5103.3000507@freemail.hu> References: <464440C4.7000605@freemail.hu> <4648570D.4040308@freemail.hu> <4651C2EE.2080803@freemail.hu> <465C24E0.8010001@freemail.hu> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------010801080306030404070502" Return-path: In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org To: Gopinath Cc: netfilter@lists.netfilter.org This is a multi-part message in MIME format. --------------010801080306030404070502 Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: quoted-printable Gopinath =EDrta: > Thank your very much Lajos !!!!!!!!!!!!!!! > > It is working fine now after adding the line "-m conntrack --ctstate > DNAT" in the ACCEPT statement of the FORWARD chain as you've said in > previous mail. > > Could you please explain how it works after adding the line "-m > conntrack --ctstate DNAT" in the ACCEPT stmt of FORWARD chain ? I'm > very eager to know this :-) > Okay... :D I have attached an image that shows the route of the packet. In the PREROUTING nat table the destination address gets DNATed IF the=20 client wants to talk to the EXTERNAL address. But if the INTERNAL address is used at a new connection then this rule=20 does not get hit !!! (No DNAT!!!) In the FORWARD filter table you were accepting EVERY connection that has = an INTERNAL destination address. If you use the conntrack module then ONLY the DNATed packets gets=20 accepted!!! > Regards, > Gopinath.U > > > I have also upgraded my iptables to version 1.3.7 Good to hear... :D Swifty --------------010801080306030404070502--