S?ébastien Cramatte wrote:
Hello,
Why REJECT target is not supported with MANGLE ?
I'm a iptables guru, but mangle it's there for "mangling packets", not
for filter them. filter tables are for that!
My server is running debian etch4 with 2.6.22 kernel and setuped as
traffic shaper + transparent bridge
The command with connlimit bellow won't work and return me "Invalid
Argument"
iptables -t mangle -N mytable iptables --table mangle --append
POSTROUTING --out-interface br0 --match physdev --physdev-is-bridged
--physdev-out eth0 --jump mytable
iptables -t mangle -A mytable --proto tcp --match connlimit
--connlimit-above 15 --connlimit-mask 32 --jump REJECT iptables -t
mangle -A mytable --jump CLASSIFY --set-class 1:10
How can I achieve this kind of setup ?
DROP_MARK="0x10"
iptables -t mangle -N table_mark
iptables -t mangle -A mytable --proto tcp --match connlimit
--connlimit-above 15 --connlimit-mask 32 --jump table_mark
iptables -t mangle -A table_mark -j MARK --set-mark $DROP_MARK
iptables -t filter -m mark --mark $DROP_MARK -j REJECT
the "-t filter" parameter are optional, but I wrote it for say to you
that this is the right place where kernel make the filter!
http://www.faqs.org/docs/iptables/mangletable.html
Michele
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
