Guillaume Morin wrote: > Dans un message du 07 jun à 11:31, Emmanuel Fleury écrivait : > >>>iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT >>>iptables -A FORWARD -i eth0 -j ACCEPT >>>iptables -A FORWARD -j DROP >> >>Does that mean that you DROP all the ACKs, even those which are valid > > Of course not, the ACKs packets are matched by --state ESTABLISHED since > they do correspond to an established connection. When ACK packets are > matched as NEW, that means that they do NOT correpond to an established > connection in the conntrack.
Ok !!! I see the light now. :-) Does this means that you are mapping the packets to a state (NEW, ESTABLISHED, RELATED, INVALID) only based on information on their header and a query to the connection table ? And that you do not care about the previous state of the connection ? At least, it doesn't seems to be necessary to take care of the previous state of the connection in this case. Moreover, is it possible to create an entry in the connection table just by sending an ACK ??? (somebody wrote this at some point). Finally, I tried to think about this 'connection pick-up' thing and I really don't understand how do you can restore a connection after the reboot. What is the algorithm which is used for this ? (My problem is that in the case of a NAT, you can receive an ACK packet on your FORWARD chain coming from outside and you have to translate it to your inner network. But you lost all the informations about it). -- Emmanuel And I'm right. I'm always right, but in this case I'm just a bit more right than I usually am. -- Linus Torvalds
