Le 16 mars 2013 à 20:32, Jan Engelhardt a écrit : > On Saturday 2013-03-16 19:27, AZ 9901 wrote: >> Le 16 mars 2013 à 19:18, Jan Engelhardt a écrit : >>> On Saturday 2013-03-16 18:25, AZ 9901 wrote: >>>> Le 12 mars 2013 à 19:09, AZ 9901 a écrit : >>>>> >>>>> sslh (http://www.rutschle.net/tech/sslh.shtml) works as a protocol demultiplexer, it allows to separate SSH and HTTPS streams which arrive on the same port (443 for instance). >>>>> I would like to do the same thing but with iptables only. >>>>> Is it possible ? >>> >>> No. As the name already says, it works at the IP/Network level, >>> not with upper protocols. >> >> Yes but I was thinking of something like that : >> - use "string" module to catch the first packet of a SSH connection (looking for SSH- pattern, as sslh does in its probe.c source file) > > The first packet is an empty TCP SYN. > >> - use conntrack to follow this detected SSH connection >> - redirect this detected SSH connection from port 443 to port 22 > > NAT mappings must be applied before any packet is forwarded, > which is why the decision must happen with the first packet. > So as the first packet of the connection is an empty packet, no chance to do what I want. OK, thank you very much for your help Jan !-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
