Hello.
I must be doing something stupid, but can not get the connection tracking to work correctly. This is what I've done. 1) compile the 2.4.16 kernel with the nf-0.0.3 patch. I can check with "uname -a" that I'm using it. 2) group (four) network cards into a bridge, bring those cards up, and assign an IP to the bridge. 3) load the module ip_conntrack_ftp. Modules ip_state, ip_conntrack, iptable_filter, and ip_tables have been loaded automatically. 4) "iptable -v -L FORWARD" shows : Chain FORWARD (policy DROP 19686 packets, 1628K bytes) pkts bytes target prot opt in out source destination 4862 256K ACCEPT all -- eth2 eth0 anywhere anywhere 6227 3214K ACCEPT all -- eth0 eth2 anywhere anywhere state ESTABLISHED eth0 is connected to the outside world and eth2 connects to a switching hub. So I allow all outgoing packets and drop most incomming packets. With this setup, I can do anything from a computer attached to eth2. I can use ping, telnet, ftp, and lynx from the inside computer. But from what I understand of iptables/conntrack, I should not be able to use anything. "ESTABLISHED" matches packets that uses a connection "which has seen packets in both directions". When I telnet from "myhost" to "outside", "myhost" first sends a syn packet. The acknowledgement packet comming from "outside" does not match any "ESTABLISHED" connection, so should be droped following the "policy". So we should not be able to make any connections from "myhost". Without the "state" module, the FORWARD chain works perfectly. I can see it act as expected, letting through what I tell it to and blocking everything else. As I see nobody complaining of this problem, I must be plain wrong. Any help would be appreciated. Thanks. Jin Hong _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
