That's not necessary. You might be creating more work for yourself. I just recycled the Debian iptables package, which is still 1.2.9 I believe. You'll need to patch it and create the appropriate dot file for the build to succeed, but after that I just rebuild the package with 'debuild -uc -us' and copied it to my compiler-less router. I'm using 2.6.6, but I'm sure 2.6.7 should work fine.
Ok, it may not be necessary, but shouldn't be the source of the problem, or?
Should work with iptables 1.2.11 all the same or are there some issues there?
I believe the documentation mentions that layer7 works best when it can see both 'sides' of the connection. If you're filtering through INPUT or OUTPUT you're missing half. Check the ftp protocol match. Does it rely on seeing both sides of the connection to match up?
Try matching in FORWARD, PREROUTING, or POSTROUTING. I believe these see all sides of the connection.
Doesn't change anything :-( BTW, when I use the setting from the NETFILTER HOWTO page:
iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j MARK --set-mark 1
and change it (as written in the howto under "blocking") to: iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j REJECT
I get an "iptables: Invalid Argument" when executing the script, how that? (I must admit that I am not that iptable expert, so excuse some lack of knowledge of all the chains and structures ;) )
-FB _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
