On Mon, 2011-08-22 at 21:23 +0530, TEJAS wrote: > Hi, > > My current iptables rules are: > > cat /etc/sysconfig/iptables > # Generated by iptables-save v1.4.7 on Mon Aug 22 21:17:33 2011 > *nat > :PREROUTING ACCEPT [493:28472] > :POSTROUTING ACCEPT [344:23920] > :OUTPUT ACCEPT [344:23920] > COMMIT > # Completed on Mon Aug 22 21:17:33 2011 > # Generated by iptables-save v1.4.7 on Mon Aug 22 21:17:33 2011 > *filter > :INPUT ACCEPT [12511:3538351] > :FORWARD ACCEPT [16:832] > :OUTPUT ACCEPT [11397:5249840] > COMMIT > # Completed on Mon Aug 22 21:17:33 2011 > # Generated by iptables-save v1.4.7 on Mon Aug 22 21:17:33 2011 > *mangle > :PREROUTING ACCEPT [92:12257] > :INPUT ACCEPT [3202:794108] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [2909:931650] > :POSTROUTING ACCEPT [2909:931650] > :DIVERT - [0:0] > -A PREROUTING -d 10.10.10.30/32 -p tcp -m tcp --dport 80 -j ACCEPT > -A PREROUTING -p tcp -m socket -j DIVERT > -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 > --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 > -A PREROUTING -j LOG > -A DIVERT -j MARK --set-xmark 0x1/0xffffffff > -A DIVERT -j ACCEPT > COMMIT > > Is it correct use of log options? Well, you're not using any log *options*, you're just logging. See the LOG section of 'man iptables' for log options. > I want to log everything for my logs. i want to see what happening > with socket match and what happening with tproxy match options I suppose you need a second LOG rule right after the DIVERT -j MARK rule, because after that rule the packet is ACCEPT-ed and nothing is logged. It may help if you use a separate --log-prefix for each LOG rule to see in the logfile which LOG rule did the logging. Having never looked at it so I may be wrong, but I doubt you'll see the mark in your log. -- Rob -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
