OoO Lors de la soirée naissante du lundi 15 juin 2009, vers 18:59, David Madore <david+ml@xxxxxxxxxx> disait : > Recent versions of iptables have forbidden the use of DROP in the nat > table. I can't understand, however, how one is supposed to work > around this limitation: is there a howto or some kind of documentation > somewhere which explains how to deal with this change? > Suppose my current rules look something like this: > -t nat -A OUTPUT -p tcp -d somenetwork -m tcp --syn --dport 80 -j CONTROLLED > -t nat -A CONTROLLED -m limit --limit 10/hour -j RETURN > -t nat -A CONTROLLED -p tcp -m statistic --mode random --probability 0.1 -j REDIRECT --to-ports 80 > -t nat -A CONTROLLED -j DROP You can DROP in the mangle table instead. -t mangle -A OUTPUT -p tcp -d ... -j CONTROLLED -t mangle -j CONTROLLED -m limit --limit ... -j RETURN -t mangle -j CONTROLLED -p tcp -m statistic --mode random --probability 0.9 -j DROP -t mangle -j CONTROLLED -j MARK --set-mark 1 -t nat -A OUTPUT -m mark --mark 1 -j REDIRECT --to-ports 80 You can also DROP in the raw table, but I think you cannot set a mark here. -- BOFH excuse #381: Robotic tape changer mistook operator's tie for a backup tape. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
