[ale] iptables caching?
David Tomaschik
david at tuxteam.com
Thu Dec 4 13:25:24 EST 2008
Robert L. Harris wrote:
> My "restart" function of the script does a flush before it reloads
> all the rules.
>
>
> JK wrote:
> > Robert L. Harris wrote:
> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>
> >>
> >> I have the following rules in my iptables script:
> >>
> >> $IPTABLES -A Allow --proto tcp --destination-port 25 -j ACCEPT
> >> $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 25 -j
> >> DNAT - --to 10.1.1.34:25
> >>
> >> $IPTABLES -A Allow --proto tcp --destination-port 80 -j ACCEPT
> >> $IPTABLES -A PREROUTING -t nat -p tcp -i $IFACE --dport 80 -j
> >> DNAT - --to 10.1.1.32:80
> >>
> >> I had a typo originally that sent dport 80 to 10.1.1.32:25 which
> >> I fixed. I have verified there are no other rules for port 80
> >> but it is still sending anything that hits port 80 to
> >> 10.1.1.32:25. The first 2 rules are working fine though.
> >>
> >> any ideas?
>
> > The "-A" means "*A*ppend this rule to the end of the chain", where
> > it will be looked at *last*. So unless you flush (iptables -F
> > <chain>) and then re-establish all the rules in the chain, the old
> > rule will take precedence. If you want to put a rule at the
> > *front* of the chain, use "-I", not "-A".
>
> > -- JK
>
>
If I had to guess, the issue lies in the Connection tracking in the
kernel, not iptables itself. I'm not sure how to clear this without a
restart.
David
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20081204/95d0a927/attachment.bin
More information about the Ale
mailing list