david NEW <david@xxxxxxxxx> wrote:
> hi,
>
> I am trying to route blocked ip set to IP:8080 where is info about "you have
> been blocked"
>
> table ip raw {
> set bad_ip {'
> type ipv4_addr
> elements = { xxx.xxx.xxx.xxx }
> }
>
> chain prerouting {
>
> type filter hook prerouting priority -500; policy accept;
> nft add raw preroute ip saddr @bad_ip tcp dport { 80, 443 } ip daddr set
> xxx.xxx.xxx.xxx tcp dport set 8080 notrack
> }
>
>
> netfilter doesn't complain about this rule but nothing happens...connection
> timed out and nothing happened. I see no errors in Apache2 logs.
>
> I can see connection attempt in tcpdump but it is not redirected.
How do you know from tcpdump? tcpdump occurs before port rewrite.
You should see syn to foo:80, then a syn-ack from xxx.xxx.xxx.xxx:8080.
As original client connected to foo:80, the syn-ack is dropped on client
side.
You need to add a reverse xlate rule if you really want this, or use
normal redirect via nat.
