FW: CONNMARK and ip rule fwmark

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Sorry, I am not accustomed yet to not having reply-to the list... 

> -----Original Message-----
> From: Steffen Heil [mailto:lists@xxxxxxxxxxxxxxx] 
> Sent: Monday, March 31, 2008 2:07 AM
> To: 'Jan Engelhardt'
> Subject: RE: CONNMARK and ip rule fwmark
> 
> Hi
> 
> > ># iptables -t nat -A PREROUTING -p TCP -d publicip -j DNAT --to
> > >10.4.0.1
> > >
> > >My observations seem to tell me, that ip rule is evaluated BEFORE 
> > >iptables rules are applied, so the mark is not set yet.
> > 
> > See http://jengelh.hopto.org/images/nf-packet-flow.png , routing 
> > decision takes place in the middle. (It's called _PRE_ROUTING_ for a
> > reason.)
> 
> Can you think of any reason SYN ACK packets are not seen at 
> ANY tables in my case?
> I see the syn packet and I know the service is running at that port!
> a.b.c.d is the client.
> 
> Regards,
>   Steffen
> 
> 
> 
> iptables -t raw -I PREROUTING -p tcp -d a.b.c.d/24 -j LOG 
> iptables -t raw -I OUTPUT -p tcp -d a.b.c.d/24 -j LOG 
> iptables -t raw -I PREROUTING -p tcp -s a.b.c.d/24 -j LOG 
> iptables -t raw -I OUTPUT -p tcp -s a.b.c.d/24 -j LOG 
> iptables -t filter -I INPUT -p tcp -d a.b.c.d/24 -j LOG 
> iptables -t filter -I FORWARD -p tcp -d a.b.c.d/24 -j LOG 
> iptables -t filter -I OUTPUT -p tcp -d a.b.c.d/24 -j LOG 
> iptables -t filter -I INPUT -p tcp -s a.b.c.d/24 -j LOG 
> iptables -t filter -I FORWARD -p tcp -s a.b.c.d/24 -j LOG 
> iptables -t filter -I OUTPUT -p tcp -s a.b.c.d/24 -j LOG 
> iptables -t nat -I PREROUTING -p tcp -d a.b.c.d/24 -j LOG 
> iptables -t nat -I POSTROUTING -p tcp -d a.b.c.d/24 -j LOG 
> iptables -t nat -I OUTPUT -p tcp -d a.b.c.d/24 -j LOG 
> iptables -t nat -I PREROUTING -p tcp -s a.b.c.d/24 -j LOG 
> iptables -t nat -I POSTROUTING -p tcp -s a.b.c.d/24 -j LOG 
> iptables -t nat -I OUTPUT -p tcp -s a.b.c.d/24 -j LOG 
> iptables -t mangle -I PREROUTING -p tcp -d a.b.c.d/24 -j LOG 
> iptables -t mangle -I INPUT -p tcp -d a.b.c.d/24 -j LOG 
> iptables -t mangle -I FORWARD -p tcp -d a.b.c.d/24 -j LOG 
> iptables -t mangle -I OUTPUT -p tcp -d a.b.c.d/24 -j LOG 
> iptables -t mangle -I POSTROUTING -p tcp -d a.b.c.d/24 -j LOG 
> iptables -t mangle -I PREROUTING -p tcp -s a.b.c.d/24 -j LOG 
> iptables -t mangle -I INPUT -p tcp -s a.b.c.d/24 -j LOG 
> iptables -t mangle -I FORWARD -p tcp -s a.b.c.d/24 -j LOG 
> iptables -t mangle -I OUTPUT -p tcp -s a.b.c.d/24 -j LOG 
> iptables -t mangle -I POSTROUTING -p tcp -s a.b.c.d/24 -j LOG
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux