/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Joerg Peters <[EMAIL PROTECTED]> wrote:
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -A PREROUTING -t nat -p tcp -s 180.133.151.14 -j SNAT --to
> 195.126.216.98
Are you sure this is what you entered? My manual says:
SNAT
This target is only valid in the nat table, in the
POSTROUTING chain. It specifies that the source address
of the packet should be modified (and all future packets
in this connection will also be mangled), and rules should
cease being examined.
So if you are specifying SNAT, it should be in POSTROUTING, not in
PREROUTING, and you would be changing where the SOURCE of the packet
appears to come from, not where its DESTINATION is going...
But perhaps you just typed SNAT where you meant DNAT.
Just trying to keep correct information on the list. :)
> But if make
>
> iptables -D PREROUTING -t nat -p tcp -s 80.133.151.14 -j SNAT --to
> 195.126.216.98
>
> all active connection keep alive.
As you can see from the man page, all future packets in the connection
will be mangled, which I assume means even if you remove the rule.
Another thing I noticed is that in your initial post, you specified the
connection has to be on port 80, but your rules above don't mention a
port number. That means that all TCP connections of any kind will be
redirected and NAT'd, not just the HTTP... Is that what you want?
> I look in /proc/net/ip_contrack and found
>
> tcp 6 431999 ESTABLISHED src=80.133.151.14 dst=217.160.140.67
> sport=64022 dport=80 src=195.126.216.98 dst=217.160.140.67 sport=80
> dport=64022 [ASSURED] use=1
This means that the connection is still being tracked. I don't know of
any way to "un-track" these. If the HTTP server were to close off the
connection (by closing it, resetting it), then the firewall will notice
this, and stop tracking it. Otherwise, notice the second number on the
line, "431999". This is the amount of time that the connection will be
tracked. If no further activity is noticed, the connection will
silently disappear. The number above represents five days. But I'm not
sure what harm it does to leave it in there.
> And is it possible to throttle the throuput to a max like 20 kbytes
> per second or something else ?
I have been wondering the same thing, so I did some research. One
method is to run a HTTP server that knows how to throttle or limit the
traffic it sends out. I tried one called "thttpd" and it does the job
very well.
Another possibility is to use one of the "limit" matches available with
iptables. The default "limit" match can only limit on the NUMBER of
packets, not the number of BYTES in the packets, so it is probably not
suitable. My distribution also has an "iplimit" match, which limits the
number of concurrent connections, again, not exactly what you are
looking for.
Another thing you can try is the "Traffic Shaper" module, outside of
iptables. This is basically a virtual IP device that you configure, and
you use an alternate routing method like "iproute2" to cause packets
matching your criteria to funnel through the shaper device, and the
shaper drops packets that try to go through too fast. Yes, it's very
complicated, and I have not set it up. But it appears that iptables
does not have the feature you're looking for, here.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience.
sometimes known as David DeSimone || Experience comes from bad judgment."
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
