On Tue, Jun 17, 2003 at 05:47:50PM -0600, Paul Albert wrote: > Perhaps my definition of session isn't correct. Is the definition of > session a connection, ie. Something that I can see in > /proc/net/ip_conntrack? Correct. > I would like to firewall all of the traffic > that the connection is sending and receiving so that if I were to > dynamically put a policy in place I would disrupt a streaming > connection, say. > > So if the packets bypass the NAT table, do they definitely go to the > filter table? Yes. That's why you (should) filter in the filter table. > Is there a POM module that will allow me to do DNAT from another table > than NAT? You mean the nat table (lower case), right? I'm not aware of any p-o-m module doing that. Ramin > I thought that I saw one listed, but I could not find it. > > Regards, > Paul > > > -----Original Message----- > From: Ramin Dousti [mailto:ramin@xxxxxxxxxxxxxxxxxxxx] > Sent: Tuesday, June 17, 2003 5:14 PM > To: Paul Albert > Cc: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Seeing all packets > > > Once the NAT rule kicks in for certain session all the subsequent > packets of that session would bypass the nat rules... > > Ramin > > On Tue, Jun 17, 2003 at 02:38:55PM -0600, Paul Albert wrote: > > > Hi - > > > > I'm trying to do some firewalling on every packet that goes through > > our firewall. We're doing our filtering in the PREROUTING chain (not > > recommended, I realize), because we must do our firewalling to > > determine whether we need to NAT a request. There are times when the > > NAT PREROUTING chain is bypassed, and I'm not exactly sure why. The > > docs say that "it will be bypassed in certain cases," however I cannot > > > determine what these cases are. > > > > Why are the packets getting sent past the NAT PREROUTING chain? Is > > there a way to send all of the data through this chain? > > > > Regards, > > Paul > >
