On Wed, Oct 2, 2013 at 5:00 PM, Matthew Cengia <[email protected]> wrote: > On 2013-10-02 06:35, James Harper wrote: >> If the counters are not increasing then your rule isn't being hit, so >> nothing else is going to work. >> >> Are the packets being generated on the same box as is running the iptables >> rule? >> >> I just did a test: >> >> # iptables -t mangle -I PREROUTING -p tcp --dport 1194 >> # telnet 1.2.3.4 1194 >> # iptables -t mangle -vnL PREROUTING >> >> And the counters are 0, indicating that the rule is not being hit. If >> I try the telnet from a machine behind that one, the counters do >> increase. So it would seem that PREROUTING doesn't get hit for locally >> generated packets. >> >> If you put the iptables rule on the OUTPUT table the rule will get hit >> (I just tested this), but that might be too late for routing to be >> affected. Give it a go though as it should be easy to test. I think >> I'm doing that on my router. > > Page 3 of the O'Reilly Linux iptables Pocket Reference shows how packets > traverse the system, and confirmd that in the mangle table, the first > thing that a local packet hits is the OUTPUT, and it never hits > PREROUTING: > > http://techedu.cu.cc/linux/OReilly%20Linux%20iptables,%20Pocket%20Reference%20(2004).pdf
Slowly coming to the same same conclusion myself, but I was hoping this was out of date: http://www.faqs.org/docs/iptables/traversingoftables.html Table 3-2. Source local host (our own machine), at Step 2 the routing decision is taken before the OUTPUT chain of the mangle table. Grr. Does anyone have any other ideas how I might achieve this? Thanks, Marcus. -- Marcus Furlong _______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
