2011-02-01 02:50 keltezÃssel, JeHo Park Ãrta:
hello Pablo
i have two more questions
You should use the string match in the filter or raw tables.
and second,
i think some people might also want such a functionality like what i
want to do,
redirection some connection to other server judging from its TCP
contents infomation.
[in this case, the URI infomation of the HTTP transaction]
i want to know how you think about ..
previously thanks ~
First of all: This question has been answered many times... Here on the
list and you can find it in other online documentation.
Please understand that the nat table sees only the first packet of the
whole connection. This is by design. (There is no need for the judgement
of the nat table when we already know how to handle the connection...)
The string match is much like a toy and not a real help in the iptables.
(Sorry, I do not really "believe" in this match. But also I understand
the need for such match. Sometimes it can be very usefull.) As already
mentioned before, the main problem is the fragmentation.
For your needs: please use a proxy. In your case iptables is not the
right tool.
Swifty
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
