Néstor,
First pair or rules (LOG+ACCEPT) matchs on 50% of all packets, all the
remaining rules matchs on the other 50%, so if you use again statistic,
it will create a new statistic starting with 50% of the total.
E.g. first packet match first pair or rules, second packet match second
rule, third packet match again _first_ rule, fourth packet match third
rule (50% + 25% + 25% -> 500 + 250 + 250 packets).
As Pascal said, you will need to remove the statistic match on the
second pair.
On 11.07.2013 14:19, Nestor A. Diaz wrote:
Hi, thanks for your answer, as i understand the statistic module use a
static counter that change everytime the packet traverse the chains, i
though the counter got altered just one time while the packet traverse
the chains.
According to your suggestion if i remove the line with the "-j ACCEPT"
then the statistic log as I want and in fact it does.
However if i jump to a 'DNAT' directly, the problem persist as (50/25)
it doesn't work as i have read from some websites
# This doesn't work:
/sbin/iptables -t nat -A prerouting_rule -m statistic --mode nth --every
2 --packet 0 -i eth0 -s 0.0.0.0/0 -d 192.168.1.1 -p tcp --dport 7100 -j
DNAT --to-destination 192.168.2.20:7101
/sbin/iptables -t nat -A prerouting_rule -m statistic --mode nth --every
2 --packet 1 -i eth0 -s 0.0.0.0/0 -d 192.168.1.1 -p tcp --dport 7100 -j
DNAT --to-destination 192.168.2.20:7102
As solution if I want to jump to DNAT directly then i have to decrease
the 'every' option as follows which do what i want:
# This works:
/sbin/iptables -t nat -A prerouting_rule -m statistic --mode nth --every
2 --packet 0 -i eth0 -s 0.0.0.0/0 -d 192.168.1.1 -p tcp --dport 7100 -j
DNAT --to-destination 192.168.2.20:7101
/sbin/iptables -t nat -A prerouting_rule -m statistic --mode nth --every
1 --packet 0 -i eth0 -s 0.0.0.0/0 -d 192.168.1.1 -p tcp --dport 7100 -j
DNAT --to-destination 192.168.2.20:7102
I am experimenting with the behavior and if I jump to custom chain which
performs other operations like 'log' statistics keep working as
expected. (50/50) however if i put a 'DNAT' rule things become (50/25),
it seems DNAT affects the behavior but i don't know why, Any
explanation for this will be appreciated.
# Still don't work:
/sbin/iptables -t nat -N custom_chain_1
/sbin/iptables -t nat -F custom_chain_1
/sbin/iptables -t nat -A custom_chain_1 -j LOG --log-prefix
20130711120831_packet_0
/sbin/iptables -t nat -A custom_chain_1 -i eth0 -s 0.0.0.0/0 -d
192.168.1.1 -p tcp --dport 7100 -j DNAT --to-destination 192.168.2.20:7101
/sbin/iptables -t nat -N custom_chain_2
/sbin/iptables -t nat -F custom_chain_2
/sbin/iptables -t nat -A custom_chain_2 -j LOG --log-prefix
20130711120831_packet_1
/sbin/iptables -t nat -A custom_chain_2 -i eth0 -s 0.0.0.0/0 -d
192.168.1.1 -p tcp --dport 7100 -j DNAT --to-destination 192.168.2.20:7102
/sbin/iptables -t nat -A prerouting_rule -m statistic --mode nth --every
2 --packet 0 -i eth0 -s 0.0.0.0/0 -d 192.168.1.1 -p tcp --dport 7100 -j
custom_chain_1
/sbin/iptables -t nat -A prerouting_rule -m statistic --mode nth --every
2 --packet 1 -i eth0 -s 0.0.0.0/0 -d 192.168.1.1 -p tcp --dport 7100 -j
custom_chain_2
Slds.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
