Below:-
----- Original Message -----
From: "Brad Davidson" <kiloman@xxxxxxxxxxx>
To: <lartc@xxxxxxxxxxxxxxx>
Sent: Wednesday, February 26, 2003 12:15 AM
Subject: Re: [LARTC] traffic state monitoring
> >is there any difference with one
> > of these :-
> >
> > iptables -t nat -I PREROUTING -p tcp --dport 21
> > -m state --state NEW,ESTABLISHED,RELATED
> >
> > iptables -I FORWARD -p tcp --dport 21
> > -m state --state NEW,ESTABLISHED,RELATED
>
> I could be wacky, but at this early hour of the morning my foggy brain is
> noticing a few things.
>
> -Neither of these rules jump to anything.
There is no need to jump to anything. The rules are added for traffic
analysis. All that I am interested is the iptables counters for each rule.
A rule without jump can be safely inserted ( even on top of the ruleset !)
into a chain without disrupted anything and yet able to provide traffic
statistics of interest to me.
> -The second rule is not attached to any table, which I don't think is
> possible...
>
Aha, no tables mentioned it means 'filter' table. That's a standard behavior
of iptables.
> For the first rule, I believe that rules in the nat table only apply to
> getting things mangled. Specifying the state in there would mean that only
> things in that state get mangled (dnat, snat, etc), based on the rules
> following it. Other packets would just have done with them whatever
> happens to packets aren't associated with a session (arent claimed by NAT,
> or any listening socket)
>
Aha I thought I understood 30% of what you say here but after after doing it
again and again, I must say I don't know what you are talking about.
> The second rule would catch packets that are to be forwarded (for nat, or
> for normal routing) that meet the specified requirements. What happens
> once it's caught depends on what you jump to....
>
There is no need to jump to anything as I mentioned earlier.
But perhaps I would like to rephrase my question now, considering that I am
getting cold response: how do I find out the traffic stats going thru a ftp
or
h323 session ( considering that these applications create new connections
which might not be using the same port etc ) ?
Should it be :-
iptables -I FORWARD -p tcp --dport 21
-m state --state NEW,ESTABLISHED,RELATED
or
is this already sufficient :-
iptables -I FORWARD -p tcp --dport 21
Actually I am thinking of a new problem now, how do I do a traffic control
on a
ftp session directly ? Is 'tc filter' sufficient ? Is it able to do
connection tracking ?
