/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */
Hey again. Yes you are right . DNAT. Copy the wrong line from my working :-( And i know that i do the NAT for all ports, not only for port 80. For the problem to kill active connection i use iptables -t mangle -A PREROUTING -i eth0 -s 80.133.151.14 -j DROP And after a couple of time i delete the DROP Thanks a lot for your comments. I helps me to understand the thinks a little bit better. Now everything works fine. And i think next week i will have the "Traffic Shaper" running as i want One little question. Do you know how i can set the max tracking time. I think a value of more than 431999 seconds is realy to big I read something about /proc/sys/net/ipv4/ip_conntrack_tcp_timeouts But on my Server thers is no file proc/sys/net/ipv4/ip_conntrack_tcp_timeouts J�rg Peters ----- Original Message ----- From: "Fuzzy Fox" <[EMAIL PROTECTED]> To: "Joerg Peters" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, November 12, 2002 5:39 PM Subject: Re: NAT and MASQ on the same interface > Joerg Peters <[EMAIL PROTECTED]> wrote: > > > > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > iptables -A PREROUTING -t nat -p tcp -s 180.133.151.14 -j SNAT --to > > 195.126.216.98 > > Are you sure this is what you entered? My manual says: > > SNAT > This target is only valid in the nat table, in the > POSTROUTING chain. It specifies that the source address > of the packet should be modified (and all future packets > in this connection will also be mangled), and rules should > cease being examined. > > So if you are specifying SNAT, it should be in POSTROUTING, not in > PREROUTING, and you would be changing where the SOURCE of the packet > appears to come from, not where its DESTINATION is going... > > But perhaps you just typed SNAT where you meant DNAT. > > Just trying to keep correct information on the list. :) > > > But if make > > > > iptables -D PREROUTING -t nat -p tcp -s 80.133.151.14 -j SNAT --to > > 195.126.216.98 > > > > all active connection keep alive. > > As you can see from the man page, all future packets in the connection > will be mangled, which I assume means even if you remove the rule. > > Another thing I noticed is that in your initial post, you specified the > connection has to be on port 80, but your rules above don't mention a > port number. That means that all TCP connections of any kind will be > redirected and NAT'd, not just the HTTP... Is that what you want? > > > I look in /proc/net/ip_contrack and found > > > > tcp 6 431999 ESTABLISHED src=80.133.151.14 dst=217.160.140.67 > > sport=64022 dport=80 src=195.126.216.98 dst=217.160.140.67 sport=80 > > dport=64022 [ASSURED] use=1 > > This means that the connection is still being tracked. I don't know of > any way to "un-track" these. If the HTTP server were to close off the > connection (by closing it, resetting it), then the firewall will notice > this, and stop tracking it. Otherwise, notice the second number on the > line, "431999". This is the amount of time that the connection will be > tracked. If no further activity is noticed, the connection will > silently disappear. The number above represents five days. But I'm not > sure what harm it does to leave it in there. > > > And is it possible to throttle the throuput to a max like 20 kbytes > > per second or something else ? > > I have been wondering the same thing, so I did some research. One > method is to run a HTTP server that knows how to throttle or limit the > traffic it sends out. I tried one called "thttpd" and it does the job > very well. > > Another possibility is to use one of the "limit" matches available with > iptables. The default "limit" match can only limit on the NUMBER of > packets, not the number of BYTES in the packets, so it is probably not > suitable. My distribution also has an "iplimit" match, which limits the > number of concurrent connections, again, not exactly what you are > looking for. > > Another thing you can try is the "Traffic Shaper" module, outside of > iptables. This is basically a virtual IP device that you configure, and > you use an alternate routing method like "iproute2" to cause packets > matching your criteria to funnel through the shaper device, and the > shaper drops packets that try to go through too fast. Yes, it's very > complicated, and I have not set it up. But it appears that iptables > does not have the feature you're looking for, here. > > -- > [EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience. > sometimes known as David DeSimone || Experience comes from bad judgment." > > _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
