On Tuesday 18 November 2003 2:43 pm, Damjan wrote:
> My goal is to set-up an iptables rule that will match and DNAT the
> first HTTP(port 80) connection from a client (IP address).
>
> The first connection is defined as the first established TCP session
> from the time the iptables rule is inserted. No other TCP connection
> should match nor should be DNAT-ed.
>
> Is there any easy way to do this with current Netfilter/Iptables/pom.
I can't think of a way to do this with netfilter on its own.
A slightly convoluted, although probably effective, way to do it might be to
add one rule to LOG the packet you're interested in, and another rule just
after it to perform the NAT. You then pipe the output of syslog into a
script which watches out for the netfilter entry, and then issues a
"netfilter -D ....." command to delete the NAT rule.
The only flaw I can see here (aside from the inefficiency) is that there will
be a certain time delay between the first packet being seen and logged, and
the NAT rule getting deleted by the script, during which time a packet could
get through on a second connection.
Whether that's important to you, and how long the time period might be, I
can't say.
It's an idea, anyway.
Antony.
--
Mahatma Gandhi was once asked what he thought of Western Civilisation.
He replied, "That would be a very good idea."
Please reply to the list;
please don't CC me.
