Hi,
Thanks for the fast response,
.)Okay I tried your suggestion for my port 8099 and nothing happened: The tcp ip information goes from a firewall to my port 8099 and this port is than routed to the original 8080, I do that because I don`t want to dirturb my port 8080. But it seams the ingress filter doesn`t work on it!!
iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere iacapp3.local tcp dpt:8099 to:192.168.0.10:8080
Chain POSTROUTING (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
.)I tried then for the port 8080 and something happened but no drop of the packages: #tcpdump port 8080 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:07:21.522898 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK> 15:07:24.440701 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK> 15:07:30.456696 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
3 packets captured 3 packets received by filter 0 packets dropped by kernel
tcpdump will see packets before policer - so they could still be dropped. Just to confuse matters though, depending on kernel options the ingress policer may see packets before or after prerouting.
use tc -s qdisc ls dev eth0 to see drops.
Andy.
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
