On Tue, Sep 18, 2007 at 10:17:50AM +0000, Johan Marcusson wrote:
>
> I'm in a similar situation myself actually, and I agree.
> However, in my setup the ntpd is on the same machine that does NAT so I
> don't think these connections is actually NATed in my setup. But the state of
> the connections still seems to get registered with iptables (conntrack). Does
> anyone know how disable this just for ntp packets?
The NOTRACK target might be able to do it. From the iptable manpage:
NOTRACK
This target disables connection tracking for all packets matching that
rule.
It can only be used in the
raw table.
Something like this (completely untested) may work:
iptables -t raw -A PREROUTING -p udp -d your.ip.address --dport 123 -j NOTRACK
Other than that, just increase the connection tracking state table
size... Linux should be able to handle tracking many thousands of
connections unless you're running on a machine with only a few MB of
memory.
[Wow, excuse is so appropriate. Gotta love it when random works out for
ya]
--
BOFH excuse #355:
Boredom in the Kernel.
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
