Re: raw table and NOTRACK target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

В Чтв, 25/06/2009 в 16:05 +0300, Ramunas Vabolis пишет:
> 	Hello there,
> 
> I'm looking after a pretty busy router. Right now everyting in
> PREROUTING chain is joined to NOTRACK.:
> 
> /sbin/iptables -t raw -A PREROUTING -j NOTRACK
> I need to intercept and redirect tcp http sessions. But right now I'm
> stuck while trying to add exceptions to NOTRACK.
> 
> I've tried adding one test on local IP (real one) and use RETURN target:
> /sbin/iptables -t raw -I PREROUTING -p tcp -s host.ip --dport 80 -j RETURN
> /sbin/iptables -t raw -I PREROUTING -p tcp -d host.ip --sport 80 -j RETURN
> 
> Does not work. (Tried -j ACCEPT too). Tried creating another chain, jump
> from PREROUTING to that chain and RETURN or ACCEPT in there. Same thing.
> iptables -vxnL shows increase only in first rule

Pay attention to order. As far as I understood your rule order is like
this:

-t raw -A PREROUTING -j NOTRACK
-t raw -A PREROUTING -p tcp -s host.ip --dport 80 -j RETURN
-t raw -A PREROUTING -p tcp -d host.ip --sport 80 -j RETURN

first rule matches any packet setting an action of NOTRACK. You should change the order to be like this:

-t raw -A PREROUTING -p tcp -s host.ip --dport 80 -j RETURN
-t raw -A PREROUTING -p tcp -d host.ip --sport 80 -j RETURN
-t raw -A PREROUTING -j NOTRACK

assuming you already have this rule:

/sbin/iptables -t raw -A PREROUTING -j NOTRACK

then you should add rest to the top (at posision 1) by:

/sbin/iptables -t raw -I PREROUTING 1 -p tcp -s host.ip --dport 80 -j RETURN
/sbin/iptables -t raw -I PREROUTING 1 -p tcp -d host.ip --sport 80 -j RETURN

> I add any of these rules, tcpdump shows that packet arrives to
> inner interface, but does not travel to outgoing one. 
> 
> I'm using Debian Lenny with stock packets (kernel icluding). 
> 
> What am I missing or doing wrong? From what I gather packets are 
> discarded at raw table. 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Покотиленко Костик <casper@xxxxxxxxxxxx>

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux