Try this iptables -t mangle -N local iptablts -t mangle -A INPUT -i $INET_IFACE -j local iptables -t mangle -A OUTPUT -o $INET_IFACE -j local iptables -t mangle -A local -p tcp -m layer7 --l7proto http -j DROP I only think it may work, i say this because local packets are passing INPUT and OUTPUT, while routed packets will always pass POSTROUTING (and l7-filter need to make a match both ways: incoming and outgoing packets) On Sat, 22 Jan 2005 21:58:52 +0100, FB <register@xxxxxxxxx> wrote: > Hi there, > > I have a little problem. I had this some months ago but didn't solve it > back then. I have patched my kernel with Layer 7 support and patched my > iptables to support it, too. > Now I inserted this line in my firewall script on my router for testing > purpose: > > $IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p tcp -m layer7 > --l7proto http -j DROP > > It works, BUT only if the connection is established by a pc BEHIND the > router (the connection is blocked). If I try to establish a http > connection from the router itself it works completely (layer 7 is NOT > working, the connection is working, thats what I wanted to say *g*. > Now I changed the line above to this: > > $IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p tcp --dport 80 -j > DROP > > and see, it works in BOTH cases. But thats no solution as I need Layer 7 > also for router-connections. I also tried ftp als layer7 protocol, same > thing. > > Anyone has an idea why this is happening? > > Thanks in advance. > > -FB > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- Bla bla _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
