On Thu, Feb 17, 2022 at 02:01:49PM +0900, Christian Balzer via Exim-users wrote > If found it excruciatingly hard to correlate tcpdump and nf_conntrack
> flows,
These data can be related via timestamps, they may be enabled for
conntrack output:
conntrack -o timestamp,ktimestamp -E ...
Note that timestamping for kernel module should be enabled via option
net.netfilter.nf_conntrack_timestamp (read man conntrack for details).
> but those ICMP6 destination unreachable packets are the result of
> the local iptables rejecting a connection to port 43922 (the originating
> outbound SMTP session from here), something it allowed for the first 2
> seconds just fine.
>
> The:
> ---
> -A INPUT -p icmpv6 -j ACCEPT
> -A INPUT -i bond+ -m state --state ESTABLISHED,RELATED -j ACCEPT
> ---
No rejection rules here. Look for your iptables rules to find sources
of rejection, then insert logging rules to debug.
--
Eugene Berdnikov
