Re: CHANGING the routing for established connections.

Mon, 28 Oct 2002 22:45:43 -0800 

I am trying to set up a network where the clients first have only access
to my intranet apache server, it does some kind of authentication, i
arping his ip and set up the firewall to let the forwarding of his
computer to the internet even do if he reboot or change IP.
 1 state:
iptables -t nat -A PREROUTING -j DNAT --to-destination 10.0.10.2

2 state:

iptables -t nat -I PREROUTING  -m mac  --mac --mac-source
00:20:18:2D:6B:20 -j   ACCEPT

everything is fine till here, but lets say that I want to allow traffic
to the internet from this client for a limited amount of time (i.e. 30
mins)

I would build a crontab job to delete the last iptable rule.

iptables -t nat -D PREROUTING  -m mac  --mac --mac-source
00:20:18:2D:6B:20 -j   ACCEPT

This works if the client now tries to reach a new url.
but if he was browsing a site (i.e. hotmail)
he will continue as nothing happened.

I would not care about killing his etablished connection. On
resestablishing he would be forward it to my server.






On Tue, 2002-10-29 at 07:45, guy keren wrote:
> 
> On 29 Oct 2002, Meir Michanie wrote:
> 
> > with nat table and DNAT target you can redirect new connections.
> > but how can you break all ready established connections and redirect to
> > a certain ip?
> > 
> > mangle support established connections but do not support DNAT.
> 
> i think at least in the vanilla kernel, this is not supported. normally, 
> you can not redirect an already established connection.
> 
> this makes sense - how would the new target machine know how to 
> synchronize in on an already established connection, that has an 
> established state, and established sequence numbers, etc?
> 
> can you explain why you find the need to redirect alerady established 
> connections? perhaps this can be remedied...
> 
> -- 
> guy
> 
> "For world domination - press 1,
>  or dial 0, and please hold, for the creator." -- nob o. dy
> 
> 
-- 
QOTD:
        "I tried buying a goat instead of a lawn tractor; had to return
        it though.  Couldn't figure out a way to connect the snow blower."


=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Reply via email to