Jan Engelhardt wrote: > On Jul 29 2007 21:36, Zheng Da wrote: > >>> >>> >>>> I write a module based on netfilter. It is proposed to be used >>>> in the filter router, is hooked on FORWARD point, and has the >>>> lowest priority, NF_IP_PRI_LAST. It does the following things: >>>> When it finds TCP connection from the client to the server, it >>>> will pretend as the server to build the connection with the >>>> client. It blocks the SYN and ACK packets from the client, and >>>> sends a UDP packet to the server, which can force the server >>>> build the TCP connection with the client. >>>> >>>> >>> It is almost impossible to help without seeing code. >>> >>> >>> >> Sorry, I'm just thinking whether the way of my module working may >> make connection track not work correctly. OK. This is my code. A >> little big. >> > > Quite a lot of code, I'd say, so I could not look through all of it. > I suspect that NF_IP_PRI_LAST and NF_IP_PRI_FIRST may have problematic > effects. You could try NF_IP_PRI_FILTER+1 (instead of LAST), and > NF_IP_PRI_FILTER-1 (instead of FIRST). > > > > Jan > I finally find the problem. The problem is not caused by my module, but my configuration of iptables. The original configuration is: iptables -F iptables -X iptables -P FORWARD DROP iptables -A FORWARD -i eth1 -j ACCEPT <------------------change this line iptables -A FORWARD -i eth0 -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -p tcp --dport 22 -m state --state ESTABLISHED,NEW -j ACCEPT If I change the line for the device of eth1 to iptables -A FORWARD -i eth1 -j ACCEPT -m state --state ESTABLISHED,RELATED,NEW It works. The problem is what is the difference between iptables -A FORWARD -i eth1 -j ACCEPT and iptables -A FORWARD -i eth1 -j ACCEPT -m state --state ESTABLISHED,RELATED,NEW. I check ip_conntrack in Router, the connections between Client and Server are assured in both configurations. I use Wireshark to capture the packets when in the original configuration. I put the result in the attachment. externel: the packets between Client and Router internal: the packets between Router and Server Does anyone have any idea? Best, Zheng Da