diff options
| author | Gaurav <gaurav.sinha@vyatta.com> | 2012-03-23 18:17:46 -0700 |
|---|---|---|
| committer | Gaurav <gaurav.sinha@vyatta.com> | 2012-03-23 18:17:46 -0700 |
| commit | 6592f891fc49e12561c7b1ee0aea604d9ed5ca2c (patch) | |
| tree | 8beb869788e762652c32248778fead308f05522c | |
| parent | e18dc013127774e88aeb0aea88ca724af340d46e (diff) | |
| download | vyatta-cfg-firewall-6592f891fc49e12561c7b1ee0aea604d9ed5ca2c.tar.gz vyatta-cfg-firewall-6592f891fc49e12561c7b1ee0aea604d9ed5ca2c.zip | |
include CT_TIMEOUT chain for conntrack timeouts.
| -rw-r--r-- | scripts/firewall/firewall.init.in | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in index 8b35876..8e92225 100644 --- a/scripts/firewall/firewall.init.in +++ b/scripts/firewall/firewall.init.in @@ -48,6 +48,11 @@ start () { for mod in ${modules[@]} ; do modprobe --syslog $mod done + + # conection tracking timeout chain + iptables -t raw -N CT_TIMEOUT + iptables -t raw -A CT_TIMEOUT -j RETURN + # setup vrrp backup transition chain # we need to filter traffic to the vrrp mac addresses # on the vrrp backup router before we do anything else. @@ -140,6 +145,8 @@ start () { iptables -t nat -A VYATTA_PRE_SNAT_HOOK -j RETURN iptables -t nat -A POSTROUTING -j VYATTA_PRE_SNAT_HOOK + iptables -t raw -I PREROUTING -j CT_TIMEOUT + iptables -t raw -I OUTPUT -j CT_TIMEOUT # Loosen the acceptability rules for TCP sequence and ACK numbers in # conntrack. This allows TCP connections through NAT to survive certain # cases of packet loss where conntrack can not accurately track the |