similar to: [Bug 318] masq fails on existing connection using marks and iproute2 source routing

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=318 ------- Additional Comments From netfilter@linuxace.com 2006-07-01 22:40 MET ------- Brian - have you been able to test this on a more recent kernel? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=554 ------- Additional Comments From kaber@trash.net 2007-03-15 02:53 MET ------- Most likely these packets are considered invalid by connection tracking and therefore not handled by NAT. Try this: iptables -t mangle -A POSTROUTING -m state --state INVALID -j DROP -- Configure bugmail:

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=400 ------- Additional Comments From kaber@trash.net 2006-01-25 12:55 MET ------- Please add a LOG rule to PRE_ROUTING in the mangle table and post the output. BTW, are you using hardware checksumming (check with ethtool) on the underlying ethernet device? -- Configure bugmail:

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=443 ------- Additional Comments From nothingel@hotmail.com 2006-02-08 05:35 MET ------- I also, the situation described in bug ID 322 seemed related and I tried the patch from Phil Oester but it did not make a difference. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From cbettero@ciditech.it 2007-03-04 21:48 MET ------- This problem prevents AJAX web sites to be hosted on the internal web server, because many packets will be dropped instead of passing into PREROUTING chain... -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=9 ------- Additional Comments From kaber@trash.net 2006-09-16 14:45 MET ------- I guess this is obsolete now that we don't exclude locally originating packets from MASQUERADE anymore .. in the end all ports will be unique. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=52 ------- Additional Comments From stewart@gammasolutions.com 2003-02-19 04:02 ------- Created an attachment (id=3) routing setup ------- Additional Comments From stewart@gammasolutions.com 2003-02-19 04:03 ------- Created an attachment (id=4) iptables script (for iptables-restore) ------- Additional Comments From

On a VPS I wanted to add to IP tables:- iptables -A XXXX -p tcp -m string --algo bm --string 'login' -j DROP I got: iptables: Unknown error 18446744073709551615 uname -a = 2.6.35.4 #2 (don't know how this got installed) lsmod | grep ipt = ipt_LOG 5419 2 yum upgrade iptables* = nothing to install. --------------------------------------- On a standalone server (C 5.6)

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=508 ------- Additional Comments From kaber@trash.net 2006-09-14 13:18 MET ------- Did you enable nf_conntrack and the ipv6 connection tracking module? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the

Hi, I''ve been developing a peer-to-peer application, and have recently been trying to add STUNT (http://www.cis.nctu.edu.tw/~gis87577/xDreaming/XSTUNT/Docs/XSTUNT%20Ref erence.htm) to allow firewall/NAT traversal. I got a box with Shorewall to use for testing, and am now trying to work out whether Shorewall is actually designed to prevent such connections? I notice in the FAQs that

This release back-ports the DROPINVALID shorewall.conf option from 2.2.0. 1) Recent 2.6 kernels include code that evaluates TCP packets based on TCP Window analysis. This can cause packets that were previously classified as NEW or ESTABLISHED to be classified as INVALID. The new kernel code can be disabled by including this command in your /etc/shorewall/init file: echo 1

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467 ------- Additional Comments From mvolaski@aecom.yu.edu 2006-04-14 01:35 MET ------- Examples of rules that give the error are 1) iptables -A INPUT -i bond0 -s 129.98.90.0/24 -p tcp --dport 548 -j ACCEPT 2) iptables -A INPUT -i bond0 -s 129.98.90.101/32 -p tcp --dport 497 -j ACCEPT 3) iptables -A INPUT -i bond0 -s 129.98.90.227/32

I know this is a FAQ and that it''s been discussed much before, I''m just looking for a few key things. I need to setup our gateway so that traffic FROM a range of IPs is sent out, masqueraded, via a new cable connection. I''m running 2.6.9. Am I going to require any of the CONNMARK patches or other patches from http://www.ssi.bg/~ja/#routes? I''m really not sure

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=474 jan.oravec@6com.sk changed: What |Removed |Added ---------------------------------------------------------------------------- OS/Version|All |Gentoo Platform|All |sparc64 ------- Additional Comments From jan.oravec@6com.sk

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=444 ------- Additional Comments From spiney@spiney.org 2006-02-08 19:18 MET ------- Created an attachment (id=207) --> (https://bugzilla.netfilter.org/bugzilla/attachment.cgi?id=207&action=view) kernel 2.6.15, telnet localhost 10025 -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email -------

Hi Tom, Many thanks for that, that''s really helped. Netfilter is indeed dropping the packets as invalid. Thanks and regards, Frances -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: 23 March 2007 18:05 To: Shorewall Users Subject: Re: [Shorewall-users] Expected handling of [SYN] when expecting[SYN, ACK]? Frances Flood wrote: > Basically, if the

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=408 ------- Additional Comments From kaber@trash.net 2006-01-25 14:58 MET ------- Created an attachment (id=201) --> (https://bugzilla.netfilter.org/bugzilla/attachment.cgi?id=201&action=view) patch Fixed by this patch, thanks for the report. -- Configure bugmail:

Hello, I''m stuck IPSECing my wireless network at home and would appreciate any comments. I appologize in advance if I''m wasting your time with trivia - I''m not a professional and staring at the problem for days from various angles hasn''t done me any good ... My home server/firewall (morannon) is hooked up through an USB to ethernet adapter (eth1) to my DSL

http://bugzilla.netfilter.org/show_bug.cgi?id=726 Summary: Oops in nf_conntrack. Product: netfilter/iptables Version: linux-2.6.x Platform: x86_64 OS/Version: Ubuntu Status: NEW Severity: critical Priority: P5 Component: ip_conntrack AssignedTo: netfilter-buglog at lists.netfilter.org

http://bugzilla.netfilter.org/show_bug.cgi?id=590 Summary: iptables unknown target data Product: iptables Version: CVS (please indicate timestamp) Platform: i386 OS/Version: Ubuntu Status: NEW Severity: normal Priority: P1 Component: iptables AssignedTo: laforge at netfilter.org ReportedBy: