I don't think this will work for all traffic, but it should for TCP based traffic. Assuming the first packet is a
"SYN" packet, you could try:
iptables -t nat -p tcp --syn --dport 80 -s 171.68.1.1 -m quota --quota 40 \
-j REDIRECT --to-ports 9999the key here is the "--syn" flag on the TCP protocol (-p tcp)
Good luck
®odre
From: Damjan <gdamjan@xxxxxxxxxxx> To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Howto match only the first connection from an IP Date: Tue, 18 Nov 2003 18:26:02 +0100
> > My goal is to set-up an iptables rule that will match and DNAT the > > first HTTP(port 80) connection from a client (IP address). > > > > The first connection is defined as the first established TCP session > > from the time the iptables rule is inserted. No other TCP connection > > should match nor should be DNAT-ed. > > > > Is there any easy way to do this with current Netfilter/Iptables/pom. > > I can't think of a way to do this with netfilter on its own.
Well I've come to this solution, but I wonder how reliable it is
iptables -t nat -p tcp --dport 80 -s 171.68.1.1 -m quota --quota 40 \ -j REDIRECT --to-ports 9999
This seems to match only the first connection.
Any other ideas???
-- Damjan Georgievski jabberID: damjan@xxxxxxxxxxxx
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
