Reformulation of Problem:
running
iptables -t nat -I PREROUTING -m mac --mac-source 00:02:2D:08:FD:67 -j
ACCEPT
then
iptables -t nat -I PREROUTING -m mac --mac-source 00:02:2D:08:FD:67 -j
DNAT --to-destination 10.0.10.2
does not work for established connections, like browsing CNN.COM
man iptables explains that mangle should be used for established
connections.
but mangle does not use DNAT, even using -j DROP does not work.
IDEAS????
On Fri, 2002-10-25 at 01:00, Meir Michanie wrote:
> Hi there.
>
> While playing with iptables building rules on the fly and reverting them
> I found that it takes a while to take the new rule.
> I am on kernel 2.4.18-17.7.x on RH7.3
> iptables-1.2.5-3
>
> I am DNATing all my pcs to my gateway ip, in that way the computer that
> tries to connect to the internet would bounce to the services of my
> gateway.
> for example:
> if a client is trying to access the www.tldp.org would be redirected to
> the apache server at my gw instead.
>
> to do this i run the rule:
> iptables -t nat -A PREROUTING -j DNAT --to-destination 10.0.10.2
>
> if afterwards i want to enable one pc no matter its ip (can change) to
> access the net so I run
> iptables -t nat -I PREROUTING -m mac --mac-source 00:20:18:2D:6B:20 -j
> DNAT --to-destination 0.0.0.0-255.255.255.255
>
> if after a while I decide to stop the service for that client, I run
>
> iptables -t nat -D PREROUTING -m mac --mac-source 00:20:18:2D:6B:20 -j
> DNAT --to-destination 0.0.0.0-255.255.255.255
>
> !!!here is the problem, the client still continue browsing the net.
> if i change the ip at the client, it works.
> But I do not trust the client, I want to force the change at the server.
>
>
> is there a session time or something like that?
>
> with ICMP it works perfect on the input and output chain, but somehow it
> is not the same at the PREROUTING.
>
>
>
>
>
> --
> QOTD:
> "I tried buying a goat instead of a lawn tractor; had to return
> it though. Couldn't figure out a way to connect the snow blower."
>
>
> =================================================================
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
>
>
--
QOTD:
"I tried buying a goat instead of a lawn tractor; had to return
it though. Couldn't figure out a way to connect the snow blower."
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
