Re: Differentiating direct, and redirected access?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jason Opperisano wrote:

-t nat -A PREROUTING -i eth0 -d ! $INT_ROUTER_IP -p tcp --dport 80 -j
REDIRECT --to-ports 3128
-A INPUT -i eth0 -d $INT_ROUTER_IP -p tcp --dport 3128 -J REJECT

TCP SYN have external ip dst_ip.



the TCP SYN to port 80 has the dst IP of the web server on the internet.

the redirected packet to TCP port 3128 has the dst IP of the redirected
interface (eth0 in this case).

your suggested REJECT rule will reject all redirected traffic to port
3128, and is essentially the issue the OP had already run into, and was
asking for a work-around.

-j

Hmm. Your right. So, fw-mark is great idea.


wbr, Logechnik Alexandr

In God we trust, but something else must have X.509 certificate



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux