ipset looks intresting but I've no experience of patching the kernel. I did
run an aptitude install ipset.
ipset -H
I'm of protocol version 2.
Kernel module is not loaded in, cannot verify kernel version.
ipset v2.5.0
...
What needs to be done here? I've tried googling around but there's not that
much information available.
Thanks,
Sheepa
----- Original Message -----
From: "François Legal" <devel@xxxxxxxxxxxxxx>
To: "Sheepa" <sheepa@xxxxxxxxxx>
Sent: Thursday, March 11, 2010 5:40 PM
Subject: Re: Update delay when using nat table?
So to remove the conntrack entries, you can use the conntrack command (it
is available in some debian package) that uses (I'm not sure) the netlink
interface to netfilter (so you must have that enabled in your kernel).
For the 10k entries (I guess it's about different -s X.X.X.X entries), you
may use ipset.
François
PS: please post back to the list when you have something working to share
with other.
On Thu, 11 Mar 2010 17:11:10 +0100, "Sheepa" <sheepa@xxxxxxxxxx> wrote:
That is probably the case.
How would someone remove an entry (based on IP and port)?
Also, I plan on having around 10k rules like this, currently the packets
are
just dropped. Are there any better way (performance wise) of doing this?
Thanks,
Sheepa
----- Original Message -----
From: "François Legal" <devel@xxxxxxxxxxxxxx>
To: "Sheepa" <sheepa@xxxxxxxxxx>
Sent: Thursday, March 11, 2010 3:56 PM
Subject: Re: Update delay when using nat table?
I guess that is because there is already a conntrack entry for the
packets
that you're sending to port 777. You can confirm this by checking
/proc/net/nf_conntrack
If my guess is correct, you have to remove the entry (or even flush the
entire table) from conntrack with the "conntrack" tool.
François
On Thu, 11 Mar 2010 01:42:23 +0100, "Sheepa" <sheepa@xxxxxxxxxx> wrote:
Hello, im trying to redirect a port based in source ip like this:
iptables -t nat -A PREROUTING -p udp --dport 777 -j REDIRECT --to-port
888 -s x.x.x.x
Notice that i will have services listening on both ports. Allthough
this
works it takes several minutes for it to take effect. And it doesn't
seem
to
take effect at all if i keep sending packages to port 777 here in the
example. How can i make it take effect instantly? Or is thier any
other
way
of doing this (redirecting a port locally) on a debian squeeze
machine?
Thanks,
Sheepa
--
To unsubscribe from this list: send the line "unsubscribe netfilter"
in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
