hi there friends! My objective is to be able to activate or deactivate transparent proxy for some clients while leaving other clients wide open to the net. http://tldp.org/HOWTO/TransparentProxy-5.html tells me how to send the complete network to squid, but I would like to only set a port range 10.0.0.1-10.0.0.100 to squid and leave por range 10.0.0.101-10.0.0.254 wide open. So I tried this for most flexibility: myIPS="10.0..250 192.168.17.248 10.0.0.76" for eachip in $myIPS do iptables -t nat -A PREROUTING -i $LAN_INTERFACE1 \ -s $eachip -p tcp \ --dport 80 -j REDIRECT --to-port 3128 done I get no error message running my script, but I dont see any extra proxy activity on the clients eather while browsing the web with them, may I please get some help? thanks! --- Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> wrote: > > On Mar 5 2008 08:31, Oleg Petrov wrote: > > > >I'm working on kernel module used for network > accounting and it's based > >on amazing netfilter connection tracking code. But > I lack some information > >in nf_conn structure. Can you please advice what's > preferable way of > >getting such information: > > > >1) In/out interface indices. > >More accurately, I'm interested in SNMP > >interface indices to export accounting information > but I hadn't seen > >any interface stuff in conntrack code. > > Conntrack does not deal with interfaces â?? that is > a routing thing. > It would be perfectly valid to send an SNMP query > out on eth0, > and receive the reply on eth1, while the re-reply > goes out on eth2... > > Hence conntrack only deals with <source address, > destination address, > other bits like port numbers or for example ESP SPI > indexes> tuples. > There is a dirty hack, which is skb->iif, but I > would not rely on it. > > >2) TCP connection flags and IP ToS (Type of > Service). > > > >If this is not implemented in conntrack, please > describe me preferable > >way for adding support of this into netfilter - and > I'll do so. > > TOS is not part of the unique tuple to identify a > connection, > hence I do not think it should be used as such > (though you are free > to do so, but I tell you, the result may not work). > > Or you can â?? but again it only makes sense for > learning nfct â?? > to force the same TOS bit on any connection (and if > that is not > the case, drop it.) > -- > To unsubscribe from this list: send the line > "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at > http://vger.kernel.org/majordomo-info.html > ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
