On Mon, 15 Jun 2009 19:24:10 +0200, Vincent Bernat <bernat@xxxxxxxx> wrote: > OoO Lors de la soirée naissante du lundi 15 juin 2009, vers 18:59, David > Madore <david+ml@xxxxxxxxxx> disait : > >> Recent versions of iptables have forbidden the use of DROP in the nat >> table. I can't understand, however, how one is supposed to work >> around this limitation: is there a howto or some kind of documentation >> somewhere which explains how to deal with this change? > >> Suppose my current rules look something like this: > >> -t nat -A OUTPUT -p tcp -d somenetwork -m tcp --syn --dport 80 -j >> CONTROLLED >> -t nat -A CONTROLLED -m limit --limit 10/hour -j RETURN >> -t nat -A CONTROLLED -p tcp -m statistic --mode random --probability 0.1 >> -j REDIRECT --to-ports 80 >> -t nat -A CONTROLLED -j DROP > > You can DROP in the mangle table instead. > > -t mangle -A OUTPUT -p tcp -d ... -j CONTROLLED > -t mangle -j CONTROLLED -m limit --limit ... -j RETURN > -t mangle -j CONTROLLED -p tcp -m statistic --mode random --probability 0.9 > -j DROP > -t mangle -j CONTROLLED -j MARK --set-mark 1 > -t nat -A OUTPUT -m mark --mark 1 -j REDIRECT --to-ports 80 > > You can also DROP in the raw table, but I think you cannot set a mark > here. Would this not begin to drop n% packets instead of n% connections? due to the nat table only receiving NEW packets and mangle receiving all. I think you may also need to add state NEW to the rule somehow. AYJ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
