On Fri, February 24, 2006 14:03, Giacomo A. Catenazzi wrote: > Hello. > > I'm searching if I can do (or why not) a connectionless port > forwarding. Google didn't help me, and now I'm using a std > port forwarding using nat tables, but a smaller solution is > better IMHO. > > I admin an "high" traffic web site. In last time there was > an huge increment of web-spam/blog-spam traffic, which I would > avoid. > > I want to direct traffic from a blacklist into an other port, > so that a simple http server will advise user (and offer a > graphical challenge) to unblock. > > Practically I want to mangle the port of blacklist-originated > packets, from 80 to 81, and the opposite for outgoing traffic. > Port 81 will be firewalled from extern, so I think there cannot > be problem with connection identification / collision. > > Would it be possible? I don't think so. http://www.netfilter.org/projects/patch-o-matic/pom-submitted.html#pom-submitted-raw <quote> The NOTRACK target can be used to select which packets *not* to enter the conntrack/NAT subsystems. Please keep in mind: if you mark a packet with NOTRACK, then - all the conntrack functionalities are lost for the packet (ICMP error tracking, protocol helpers, etc) - all the NAT functionalities are also lost. </quote> Portforwarding is a form of NAT (DNAT) so you'd lose the functionality you need. > Would it be lighter than std nat solution (and conncetion tracking)? > Are there already some netfilter module? (or i should implement > myself one?) Maybe another possibility exists that I'm not aware of.. (Comes to mind, if you run a webserver on the firewall that hosts the webpages you want to show the users on the blacklist, you probably wouldn't need conntrack/NAT. However, running servers on a firewall is considered bad practice and I'm not sure I'd do this in a high volume site like you mentioned.) Gr, Rob
