[tproxy] A general question on xt_socket
Arun Srinivasan
hi2arun at gmail.com
Wed Oct 29 16:27:14 CET 2008
Does this mean, there is an appropriate listening socket in the user space?
Apart from IP_TRANSPARENT for the socket option, is there any thing
else to be done before binding a socket?
TIA
2008/10/29 Balazs Scheidler <bazsi at balabit.hu>:
> On Tue, 2008-10-28 at 18:22 +0530, Arun Srinivasan wrote:
>> Hi all,
>>
>> A general question:
>>
>> Say I have the following rules configured:
>>
>> +++++++++++++++++++++++++++++
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 0x1
>> iptables -t mangle -A DIVERT -j ACCEPT
>> ++++++++++++++++++++++++++++++++++++
>>
>> In which case can the tcp packets go without hitting the rule
>> "iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT"?
>>
>
> if there's no applicable local socket to the packet in question, then -m
> socket will not match.
>
> a socket is applicable if the associated tuple (local ip:port, remote
> ip:port) matches the packet.
>
> related ICMP packets also match.
>
> --
> Bazsi
>
>
--
Regards,
Arun S.
More information about the tproxy
mailing list