Cedric Blancher wrote:
Le lun 05/07/2004 Ã 23:08, ÐÐÑÐÐÐÐ ÐÐÑÐÐÐ ÐÐÐÐÐÐÐÐÐÑ a Ãcrit :
how can I manage packets incoming from 80 port to my LAN?
All chains and tables(OUTPUT:mangle,nat,filter and
POSTROUTING:mangle,nat) shows that one go from
local_ip_of_gateway:3128.
But tcpdump started at LAN interface shows that packets go from real
ip addresses and src_port 80....
In what chain and table netfilter replaces SRC_ip & SRC_port back by
real?
After POSTROUTING, so you are not able to match them. But what you can do is use CONNMARK target and connmark match to spot thoses connections.
Something like :
iptables -A PREROUTING -t mangle -i LAN -p tcp --dport 80 \ -j CONNMARK --set-mark 0x01
Now, every packet that belongs to a connection beginning by one of theses packets will get connmarked with 0x01. To match them back, use connmark match like this :
-m connmark --mark 0x01
Hope it will help.
I don't think it will help. There is no nat going on after the port-redirect. Squid will open a new tcp connection so the source-ip will always be squids. Nothing you can do about that, but you can maybe account for the traffic by using the squid logs.
HTH, Martijn Lievaart
