[KLUG Members] Flushing iptables conntrack

[Dirk H Bartley]

On Thu, 2004-02-05 at 09:37, Adam Williams wrote:
> Is there a way (command) to flush the connection tracking table used by
> iptables?
> 
> I'm talking about "/proc/net/ip_conntrack"
> 
> I could flush the masq tables back in the ipchains days,  but (possibly
> I'm an idiot) but I can't find an equivalant for iptables.

I,m not sure I am going to answer exactly like you want but

function flushfilter()
{
# Flush all of the existing chains on the filter table
${IPTABLES} -F
# Remove all of the user defined chains on the filter table
${IPTABLES} -X
${IPTABLES} -Z INPUT
${IPTABLES} -Z OUTPUT
${IPTABLES} -Z FORWARD
}


function flushnat()
{
# Flush all of the existing chains on the nat table
${IPTABLES} -t nat -F
# Remove all of the user defined chains on the nat table
${IPTABLES} -t nat -X
${IPTABLES} -t nat -Z PREROUTING
${IPTABLES} -t nat -Z OUTPUT
${IPTABLES} -t nat -Z POSTROUTING
}


function flushmangle()
{
# Flush all of the existing chains on the mangle table
${IPTABLES} -t mangle -F
# Remove all of the user defined chains on the mangle table
${IPTABLES} -t mangle -X
${IPTABLES} -t mangle -Z PREROUTING
${IPTABLES} -t mangle -Z OUTPUT
}

This is an excerpt from my script where $IPTABLES is set to the full
path of the iptables binary.  A flushall function is missing that calls
each.  It obviosly just fluses and then zeros the counters for all
tables.

If your question is that conntrack seems to behave badly in that an
allowed will continue to be allowed, I agree.  rmmod and than modprobe
contrack in your scripts.

Dirk