After removing SNAT rule - host from LAN still can change packets with host which before contacted. I need reboot router to clear this "NAT cache". What can i do without rebooting?

echo f > /proc/net/nf_conntrack

thx for tip. Solved like this "conntrack -F"

Looks a nice solution, but I get the following:

[root@Core-Sf:~]# echo "f" > /proc/net/nf_conntrack
-bash: echo: write error: Input/output error

[root@Core-Sf:~]# cat /etc/openwrt_release
DISTRIB_ID="OpenWrt"
DISTRIB_RELEASE="10.03.x Snapshot"
DISTRIB_REVISION="r32561"
DISTRIB_CODENAME="backfire"
DISTRIB_TARGET="ar71xx"
DISTRIB_DESCRIPTION="OpenWrt Backfire r32561"

Any ideas?

Check the exact conntrack file name.
You are using the ancient unsupported Backfire, with an old kernel. If I remember correctly, the file name changed slightly when coming to more modern kernels (in AA12.09 or trunk) and jow's advice was for more current versions than yours.

I think the old name was /proc/net/ip_conntrack, but check /proc/net for the correct file.

(Last edited by hnyman on 25 Feb 2014, 09:06)

Thanks for the remark.

It seems both conntrack files are present in procfs and both are in use.

[root@Core-Sf:~]# cat /proc/net/ip_conntrack | wc -l
87
[root@Core-Sf:~]# cat /proc/net/nf_conntrack | wc -l
87
[root@Core-Sf:~]# echo f > /proc/net/ip_conntrack
-bash: echo: write error: Input/output error

but you still cannot write over them.

Have you tried installing conntrack-tools and then running "conntrack -F"?
That was suggested as the other solution...

Man page: http://conntrack-tools.netfilter.org/conntrack.html

(Last edited by hnyman on 25 Feb 2014, 11:25)

That seems to solve the issue for now.
Thanks for the point.