Hi, I've been two days trying to solve this issue, but I am getting some problems that I do not understand. I hope that somebody could help me with this issue. I have an iptables firewall as a package filter. Some days ago one of my customers requested me to apply an bandwidth quota for their users. Once the users reach that quota, they must be redirected to a webpage provided by the client. In this scenario i've try a lot of possible iptables rules and I got to some certainties and some uncertainties. My last try: iptables -t mangle -I INPUT -m quota ! --quota 2097152 -s 192.168.245.251 -d 192.168.34.1 -p tcp --dport 8080 -j MARK --set-mark 22 * I've decided that when I reach to quota 2097152 (2Mb -just for testing-) I start marking traffic iptables -I INPUT -m mark --mark 22 -m conntrack --ctstate ESTABLISHED -s 192.168.245.251 -d 192.168.34.1 -p tcp --dport 8080 -j REJECT * If the packet are mark, I reject all established connections. iptables -t nat -A PREROUTING -m mark --mark 22 -s 192.168.245.251 -d 192.168.34.1 -p tcp --dport 8080 -j DNAT --to 192.168.33.171:80 * And if the package are marked, I make a redirection. Checking the Ip-tables flow.. (http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg) i get this: === [NAT | Pre-routing] == [ Mangle | Input ]== [ Filter | Input ] == > First Package: First Flow : [NAT | Pre-routing] No package marked.. No redirecction. Second Flow: [Mangle | INPUT ] No marks untill I reach 2097152 bytes Third Flow : [filter | INPUT ] No marks, nothing to drop. When I reach the quota, first package: First Flow : [NAT | Pre-routing] No package marked.. No redirecction. Second Flow: [Mangle | INPUT ] I reach the quota, start marking Third Flow : [filter | INPUT ] Start droping package When I reach the quota, second package: First Flow : [NAT | Pre-routing] Start redirecction ----------------- Theoricaly everything works fine, but it's not happening. Here is a picture that i will explain: http://s8.postimg.org/866rpy6gz/Problemas_marcas.jpg (Just to make clear something.. just in case.. in the image, when you see 687K, this is the amount of data over the 2097152 bytes. the -m quota ! --quota <Value> make the rule 0, untill you reach the <Value>, then starts to count.) The two first rules work fine, we can see how te traffic starts to be marked when i reach the quota. The problem is I am not getting the redirecction, the traffic in the nat table altought is mark is not redirected. Does anyone know what could be the problem? Kindly Regards, Rodrigo -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
