Hi there... Just an idea, i didn't try it out jet. I think u can use the -j POOL target to add the IP-Adresse to a pool when u see the icmp packet. Then u can use -m pool to accept connections based on wether the IP is in this pool or not. Greets Sebastian. > -----Original Message----- > From: netfilter-admin@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ramin Dousti > Sent: Tuesday, July 29, 2003 4:01 PM > To: George > Cc: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: set RELATED? > > > On Fri, Jul 25, 2003 at 08:21:21PM -0600, George wrote: > > > Is there currently a way for iptables to force another > packet stream > > conntrack entry to be RELATED without having to look inside of the > > packet data? > > > > For example: If a 10.0.0.2 client behind an iptables > firewall were to > > send an IMCP echo to 10.20.30.1, could a rule be set up so > that after > > the firewall see this packet, all udp packets sent to dport=45678 > > would be DNATed to 10.0.0.2? > > > > The designated RELATED stream would in general then be just > like any > > other conntrack entry. > > > > My guess is that this would require a generic force-related module. > > Let me see if I understood you well. You want something like this: > > if (the firewall sees this traffic) then > apply that rule > fi > > I don't think we have something like this but I think this is > very helpful. Specially if the IF-test could pass some > parameters to the THEN-body. You might want to take this to > the devel mailing list. > > Ramin > >
