Hello,
Lucas Diaz a écrit :
That's how I'm marking them.
iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
iptables -A PREROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
iptables -A PREROUTING -t mangle -m layer7 --l7proto http
iptables -A PREROUTING -t mangle -m layer7 --l7proto dns
[...]
My problem is that I also need to SNAT to a specific IP those marked
packets, and I can't match'em.
No packets go through
iptables -A POSTROUTING -t nat -m mark --mark 10 -j SNAT --to x.x.x.x
Only the first NEW packet of a connection goes through the nat chains
(you cannot change the source or destination address in the middle of an
established connection), and layer7 needs more than one packet to
identify a protocol.
http://l7-filter.sourceforge.net/FAQ#usage :
Q: How can I use l7-filter to redirect some of my traffic (to a proxy,
etc.)?
A: You pretty much can't, at least not in any straightforward way.
L7-filter can't possibly identifiy what protocol a connection is using
until it sees a packet with data in it. For TCP, this is the third
packet, far too late to start redirecting anything. (Convoluted schemes
involving duplicating all your packets until you get a match may be
possible, but we don't recommend it.) For UDP, it could work, providing
that l7-filter gets enough data in the first packet to make a decision.
This is not our focus, however.
