On 2013-10-02 06:35, James Harper wrote: > If the counters are not increasing then your rule isn't being hit, so nothing > else is going to work. > > Are the packets being generated on the same box as is running the iptables > rule? > > I just did a test: > > # iptables -t mangle -I PREROUTING -p tcp --dport 1194 > # telnet 1.2.3.4 1194 > # iptables -t mangle -vnL PREROUTING > > And the counters are 0, indicating that the rule is not being hit. If > I try the telnet from a machine behind that one, the counters do > increase. So it would seem that PREROUTING doesn't get hit for locally > generated packets. > > If you put the iptables rule on the OUTPUT table the rule will get hit > (I just tested this), but that might be too late for routing to be > affected. Give it a go though as it should be easy to test. I think > I'm doing that on my router.
Page 3 of the O'Reilly Linux iptables Pocket Reference shows how packets traverse the system, and confirmd that in the mangle table, the first thing that a local packet hits is the OUTPUT, and it never hits PREROUTING: http://techedu.cu.cc/linux/OReilly%20Linux%20iptables,%20Pocket%20Reference%20(2004).pdf -- Regards, Matthew Cengia
signature.asc
Description: Digital signature
_______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
