It seems that the state monitoring ( -m state --state .... ) is valid in various tables and chains. My question is does it make any difference? Say I need to monitor all the traffic that are started from from an application, even if it is using dynamic ports, where I put the state monitoring, PREROUTING , FORWARD or others ? For example, assuming a ftp packet is entering eth1 and get DNAT-ed into an internal server 192.168.0.99 at PREROUTING and then gotten forward at FORWARD chain, is there any difference with one of these :- iptables -t nat -I PREROUTING -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED iptables -I FORWARD -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED
>is there any difference with one > of these :- > > iptables -t nat -I PREROUTING -p tcp --dport 21 > -m state --state NEW,ESTABLISHED,RELATED > > iptables -I FORWARD -p tcp --dport 21 > -m state --state NEW,ESTABLISHED,RELATED I could be wacky, but at this early hour of the morning my foggy brain is noticing a few things. -Neither of these rules jump to anything. -The second rule is not attached to any table, which I don't think is possible... For the first rule, I believe that rules in the nat table only apply to getting things mangled. Specifying the state in there would mean that only things in that state get mangled (dnat, snat, etc), based on the rules following it. Other packets would just have done with them whatever happens to packets aren't associated with a session (arent claimed by NAT, or any listening socket) The second rule would catch packets that are to be forwarded (for nat, or for normal routing) that meet the specified requirements. What happens once it's caught depends on what you jump to.... Remember, I'm just an amateur, havent had my coffee yet, (insert other pithy excuse for my being wrong here).
Hello, I have a linux box with 2 internet links where I am dividing the traffic among both links. I have one link for VPN and the other one for internet access in general. The main routing table has its default gateway and it's used for VPN access and the other routing table is used to deviate all the other = traffic. If a set transparent proxy, all tha traffic goes out through the main routing table, but I'd like it do go out in the second default gateway. I've tried to mark packets but it did't work for transparent proxy. Any sugestions here? I have in the second routing table routes for the VPNs LAN pointing to the defalut route of the main routing table and rest gets out in the second link. Thanks a lot.
you should try marking squid packets (output chain for example) and then add a rule (ip rule ls).. in lartc.org http://www.lartc.org/lartc.pdf have plenty of examples. tips: when marking packets on iptables, use hexa not decimal notting. try patching the kernel if does not work (http://www.ssi.bg/~ja/) cause kernel default source may not work... and its probably that squid use as source adrres of ip header the ip on the default route, so you might have to nat that src to the other interface (so packets leave the interface you want and come back in that interface and not the other -if they come..- ) greets and good speed. On Wed, 2003-03-05 at 10:27, Alessandro Ren wrote: > > Hello, > > I have a linux box with 2 internet links where I am dividing the > traffic among both links. I have one link for VPN and the other one for > internet access in general. > The main routing table has its default gateway and it's used for VPN > access and the other routing table is used to deviate all the other traffic. > If a set transparent proxy, all tha traffic goes out through the main > routing table, but I'd like it do go out in the second default gateway. > I've tried to mark packets but it did't work for transparent proxy. > Any sugestions here? > I have in the second routing table routes for the VPNs LAN pointing > to the defalut route of the main routing table and rest gets out in the > second link. > > Thanks a lot.