В Вто, 16/06/2009 в 16:29 +1200, Amos Jeffries пишет: > On Mon, 15 Jun 2009 19:24:10 +0200, Vincent Bernat <bernat@xxxxxxxx> wrote: > > OoO Lors de la soirée naissante du lundi 15 juin 2009, vers 18:59, David > > Madore <david+ml@xxxxxxxxxx> disait : > > > >> Recent versions of iptables have forbidden the use of DROP in the nat > >> table. I can't understand, however, how one is supposed to work > >> around this limitation: is there a howto or some kind of documentation > >> somewhere which explains how to deal with this change? > > > >> Suppose my current rules look something like this: > > > >> -t nat -A OUTPUT -p tcp -d somenetwork -m tcp --syn --dport 80 -j > >> CONTROLLED > >> -t nat -A CONTROLLED -m limit --limit 10/hour -j RETURN > >> -t nat -A CONTROLLED -p tcp -m statistic --mode random --probability 0.1 > >> -j REDIRECT --to-ports 80 > >> -t nat -A CONTROLLED -j DROP > > > > You can DROP in the mangle table instead. > > > > -t mangle -A OUTPUT -p tcp -d ... -j CONTROLLED > > -t mangle -j CONTROLLED -m limit --limit ... -j RETURN > > -t mangle -j CONTROLLED -p tcp -m statistic --mode random --probability > 0.9 > > -j DROP > > -t mangle -j CONTROLLED -j MARK --set-mark 1 > > -t nat -A OUTPUT -m mark --mark 1 -j REDIRECT --to-ports 80 > > > > You can also DROP in the raw table, but I think you cannot set a mark > > here. > > Would this not begin to drop n% packets instead of n% connections? due to > the nat table only receiving NEW packets and mangle receiving all. > > I think you may also need to add state NEW to the rule somehow. Anyways, what is the reason for a such big change? -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
