Mensaje citado por: [EMAIL PROTECTED]: > Send netfilter mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.samba.org/listinfo/netfilter > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of netfilter digest..." > > > Today's Topics: > > 1. port forwarding and proxy (Javier I. Gaggino) > 2. Re: GRE & IPTABLES Log entry help (Ramin Alidousti) > 3. Ulogd (Paulo Andre) > 4. Re: Load Balance and others... (Ramin Alidousti) > 5. Re: SNAT timeout (Ramin Alidousti) > 6. Re: ip_ct_tcp_timeout_listen and none (Jozsef Kadlecsik) > 7. Re: "-j REJECT --reject-with icmp-time-exceeded" (Kaddouch > Guillaume) > 8. POSTROUTING chain not built... (Bob Hillegas) > 9. Re: Compile problems with iptables-1.2.6a ([EMAIL PROTECTED]) > 10. Re: POSTROUTING chain not built... (Ramin Alidousti) > 11. Re: "-j REJECT --reject-with icmp-time-exceeded" (Ramin > Alidousti) > > --__--__-- > > Message: 1 > Date: Tue, 30 Apr 2002 10:57:23 -0300 > Subject: port forwarding and proxy > To: <[EMAIL PROTECTED]> > From: "Javier I. Gaggino" <[EMAIL PROTECTED]> > > I'm start using linux in production environment, I have one server > runnig = > iptables and squid. > My problem is: > We have clients accessing our PRIVATE network by ras, and we have route > = > defined so our linux are used as proxy, everything is ok but as > the linux are forwarding http request to our internal web server, the > = > pages hosted are not visible nor by us neither by our clients. > the error @ the browser is > > The system returned:=20 > > (111) Connection refused > What can I do? > > ---------------------------------------------------------------------------= > --------------------------- > static-routes > ---------------------------------------------------------------------------= > --------------------------- > eth1 net 0.0.0.0 netmask 0.0.0.0 gw xxx.xxx.xxx.xxx > eth0 net 10.0.0.0 netmask 255.0.0.0 gw 10.1.1.6 > ---------------------------------------------------------------------------= > --------------------------- > > :PREROUTING ACCEPT [1636:122730] > :POSTROUTING ACCEPT [84:4762] > :OUTPUT ACCEPT [282:19816] > -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 11702 -j > = > DNAT --to- > destination 10.1.1.1:80 > > -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 5910 -j > = > DNAT --to-d > estination 10.1.1.114:5900 > > -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 5909 -j > = > DNAT --to-d > estination 10.1.1.112:5900 > > -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 1677 -j > = > DNAT --to-d > estination 10.1.1.1:1677 > > -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 120 -j > DNAT = > --to-de > stination 10.1.1.1:110 > > -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 25 -j > DNAT = > --to-des > tination 10.1.1.18:25 > > -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 80 -j > DNAT = > --to-des > tination 10.1.1.18:80 > > -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 21 -j > DNAT = > --to-des > tination 10.1.1.18:21 > > -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 110 -j > DNAT = > --to-de > stination 10.1.1.6:110 > > -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx > > Javier Gaggino > IT Dept. > Netnix S.A. > TE: 4292-7979 > > > > --__--__-- > > Message: 2 > Date: Tue, 30 Apr 2002 09:53:53 -0400 > From: Ramin Alidousti <[EMAIL PROTECTED]> > To: Mark Orenstein <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: GRE & IPTABLES Log entry help > > OK. Here it goes: > > Your sites 68.15.53.176/25 and 68.15.53.174/25 are on the same subnet. > However, due to the cable architecture they cannot see each other > directly. The upstream router (which is visible to the world as > 68.9.8.22) has a private IP 10.4.56.1, doing proxy arp for all > the hosts on that subnet. > > *) When receiving packets from 68.15.53.174 destined for 68.15.53.176 > the router detects that the incoming and outgoing interface is the > same which triggers the ICMP redirect that you were seeing. In this > case you can/must ignore them. > > *) The fact that your UDP-based traceroute doesn't work can be due to > the firewalling rules that you might have on 68.15.53.176. > > One question though, where does the GRE tunnel you were talking > about come into play here? > > Ramin > > On Mon, Apr 29, 2002 at 10:36:03PM -0400, Mark Orenstein wrote: > > > 68.15.53.174 and 68.15.53.176 are the connections to the Internet for > two > > schools. The subnet mask is 255.255.255.128. Both connections are > via cable > > modems, most likely on the same cable segment. 10.4.56.1 must be the > Cox > > Communications router on the head end. When I traceroute from either > side to > > the other, it shows up as 1st in the traceroute output. An > interesting thing > > is that both traceroutes do not complete successfully to the other > end. > > However, a traceroute -I completes in two hops. > > > > [root@allsrv01 root]# traceroute 68.15.53.176 > > traceroute to 68.15.53.176 (68.15.53.176), 30 hops max, 38 byte > packets > > 1 10.4.56.1 (10.4.56.1) 8.714 ms 10.247 ms 9.723 ms > > 2 * * * > > 3 * * * > > 4 * * * > > 5 * * * > > 6 * * * > > 7 * * * > > 8 * * * > > 9 * * * > > 10 * * * > > 11 * * * > > 12 * * * > > 13 * * * > > 14 * * * > > 15 * * * > > 16 * * * > > 17 * * * > > 18 * * * > > 19 * * > > [root@allsrv01 root]# > > > > [root@squidhs root]# traceroute -I 68.15.53.174 > > traceroute to 68.15.53.174 (68.15.53.174), 30 hops max, 38 byte > packets > > 1 10.4.56.1 (10.4.56.1) 8.854 ms 7.689 ms 8.126 ms > > 2 wsip68-15-53-174.ri.ri.cox.net (68.15.53.174) 21.487 ms 23.157 > ms 15.164 > > ms > > [root@squidhs root]# > > > --__--__-- > > Message: 3 > From: Paulo Andre <[EMAIL PROTECTED]> > To: "Netfilter (E-mail)" <[EMAIL PROTECTED]> > Subject: Ulogd > Date: Tue, 30 Apr 2002 15:56:39 +0200 > > Can anyone suggest a utility to generate html reports on log files > (ulog) > for iptables. > Thanks > > Paulo > > > > > > --__--__-- > > Message: 4 > Date: Tue, 30 Apr 2002 09:58:24 -0400 > From: Ramin Alidousti <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: Load Balance and others... > > On Tue, Apr 30, 2002 at 12:52:43PM +0200, [EMAIL PROTECTED] > wrote: > > > Hi, how can i balance my bandwidth so when I am the only one > downloading i > > get full bandwith and when 2 computers are downloading bandwidth=bw/2 > ?? > > > > I share a 300kbps cable conection with 4 computers....i heard > something > > about do this with tc, cbq... > > You heard right. Dig in iproute2. > > > > > Other question: > > > > My slalckware8 works fine but now i have a big delay when i try to > access > > using SSH, if a type wrong password i get at the instant "acces > denied" but > > if i type correct password i wait more than 30 seconds the login > prompt... > > Sounds like a dns problem while logging stuff. Try tcpdump to see > what's > holding up... > > Ramin > > > > > With sendmail and ipop3 i wait the same time...but i did not installed > > > anything yesterday and all works without delay... > > > > The first time i sarted with iptables something like this break my > head...i > > forgot accept input related established...so sendmail could not > resolve my > > server domain, but i did not change my iptables rules... > > > > please, can you help me? > > > > > --__--__-- > > Message: 5 > Date: Tue, 30 Apr 2002 10:02:58 -0400 > From: Ramin Alidousti <[EMAIL PROTECTED]> > To: Steffen Persvold <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: SNAT timeout > > On Tue, Apr 30, 2002 at 02:18:09PM +0200, Steffen Persvold wrote: > > > Hi all, > > > > How long is the iptables SNAT timeout on UDP connections ? The FAQ > states > > that it is longer than with the previous ipchains, but not how long. > > It seems to be 30 sec. > > Ramin > > > > > Thanks in advance, > > -- > > Steffen Persvold | Scalable Linux Systems | Try out the world's > best > > mailto:[EMAIL PROTECTED] | http://www.scali.com | performing MPI > implementation: > > Tel: (+47) 2262 8950 | Olaf Helsets vei 6 | - ScaMPI 1.13.8 > - > > Fax: (+47) 2262 8951 | N0621 Oslo, NORWAY | >320MBytes/s and <4uS > latency > > > > > --__--__-- > > Message: 6 > Date: Tue, 30 Apr 2002 16:27:44 +0200 (CEST) > From: Jozsef Kadlecsik <[EMAIL PROTECTED]> > To: Oskar Andreasson <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Subject: Re: ip_ct_tcp_timeout_listen and none > > Hi, > > On Tue, 30 Apr 2002, Oskar Andreasson wrote: > > > I've been mucking around with the timeout values in conntrack > > recently, and ran into the LISTEN timeout and NONE timeout and have > a > > bit of a problem understanding them. > > > > First of all, how do we know when to set a conntrack entry to LISTEN > > since there is no data sent that will cause this afaik, except > > possibly FTP data connections etc. Would this in other words be used > > by the RELATED state, or is it used at any time by the ESTABLISHED > > state, and if so how? > > Conntrack entries never enter the LISTEN state :-). In the default TCP > connection tracking the state is there but no packet leads to it. > In the TCP window tracking code it is explicitly stated that the > LISTEN > state is not used. > > > The NONE state I have a even harder time understanding. Which state > is > > it indicating if referencing to RFC 793, page 23 (correct page? I > may > > be wrong about the page since I don't have it here, but it should be > > figure 6 which explains the TCP states). Anyways, what is this state > > used for and when is a conntrack entry set to state NONE? > > The NONE state is the initial one when the conntrack entry is created. > Depending on the flags of the packet (which triggered creating the > conntrack entry) the state changes at once to SYN_SENT, SYN_RECEIVED, > ESTABLISHED, TIME_WAIT or CLOSE (default conntrack). > > So the timeout values of the NONE and LISTEN states are irrelevant :-) > > Regards, > Jozsef > - > E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] > WWW-Home: http://www.kfki.hu/~kadlec > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary > > > > > --__--__-- > > Message: 7 > From: "Kaddouch Guillaume" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Re: "-j REJECT --reject-with icmp-time-exceeded" > Date: Tue, 30 Apr 2002 16:32:48 +0200 > > This is a multi-part message in MIME format. > > ------=_NextPart_000_0040_01C1F064.AA1A9830 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > ----- Original Message ----- > From: "Ramin Alidousti" <[EMAIL PROTECTED]> > To: "Kaddouch Guillaume" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Monday, April 29, 2002 7:18 PM > Subject: Re: "-j REJECT --reject-with icmp-time-exceeded" > > > > You should be able to do something like this: > > > > -t mangle -A PREROUTING <some restrictions to the rule> j TTL = > --ttl-set 0 > > I had forgot to say that it is for using with the "fake-source" > patch-o-matic that is already install to have a rule like this: > > ... -j REJECT --reject-with icmp-time-exceeded --fake-source IPADDR > > The rule with "-t mangle ..." doesn't allow me to specify an IP > address. > > But I haven't the sufficient skill to do myself the patch. > Is it scheduled? > > Or are they an other method? > > Thanks for your answers. > > Guillaume. > > > > > Ramin > > > > On Mon, Apr 29, 2002 at 06:27:24PM +0200, Kaddouch Guillaume wrote: > > > > > For certains raison I have to reject a packet with a > "time-exceeded" > icmp reply. However, this type of packet don't seem to be sendable by > = > target > REJECT. > > > Is exist a patch to do it? > > > > > > Thanks. > > > > > > Guillaume. > > > > > ------=_NextPart_000_0040_01C1F064.AA1A9830 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > <HTML><HEAD> > <META http-equiv=3DContent-Type content=3D"text/html; = > charset=3Diso-8859-1"> > <META content=3D"MSHTML 6.00.2715.400" name=3DGENERATOR> > <STYLE></STYLE> > </HEAD> > <BODY bgColor=3D#ffffff> > <DIV> > <DIV>----- Original Message -----<BR>From: "Ramin Alidousti" <<A=20 > href=3D"mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</A>= > ><BR>To:=20 > "Kaddouch Guillaume" <<A=20 > href=3D"mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</A>><BR>Cc: > <<A=20 > href=3D"mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</A>&g= > t;<BR>Sent:=20 > Monday, April 29, 2002 7:18 PM<BR>Subject: Re: "-j REJECT > --reject-with=20 > icmp-time-exceeded"<BR><BR><BR>> You should be able to do something > = > like=20 > this:<BR>><BR>> -t mangle -A PREROUTING <some restrictions to > = > the=20 > rule> j TTL --ttl-set 0<BR><BR>I had forgot to say that it is for = > using with=20 > the "fake-source"<BR>patch-o-matic that is already install to have a = > rule like=20 > this:<BR><BR>... -j REJECT --reject-with > icmp-time-exceeded =20 > --fake-source IPADDR<BR><BR>The rule with "-t mangle ..." doesn't allow > = > me to=20 > specify an IP address.<BR><BR>But I haven't the sufficient skill to do > = > myself=20 > the patch.<BR>Is it scheduled?<BR><BR>Or are they an other = > method?<BR><BR>Thanks=20 > for your answers.<BR><BR> =20 > Guillaume.<BR><BR>><BR>> Ramin<BR>><BR>> On Mon, Apr 29, = > 2002 at=20 > 06:27:24PM +0200, Kaddouch Guillaume wrote:<BR>><BR>> > For = > certains=20 > raison I have to reject a packet with a "time-exceeded"<BR>icmp reply. > = > However,=20 > this type of packet don't seem to be sendable by = > target<BR>REJECT.<BR>> >=20 > Is exist a patch to do it?<BR>> ><BR>> > > Thanks.<BR>>=20 > ><BR>> > =20 > Guillaume.<BR>><BR></DIV></DIV></BODY></HTML> > > ------=_NextPart_000_0040_01C1F064.AA1A9830-- > > > > --__--__-- > > Message: 8 > Date: Tue, 30 Apr 2002 09:23:00 -0500 (CDT) > From: Bob Hillegas <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: POSTROUTING chain not built... > > I am using RH 7.1, kernel 2.4.9-21 and iptables.1.2.4-0.71.2 from a > RedHat > rpm. > > When I run the following script and then produce a rules listing > (/sbin/iptables --list -nv --line-numbers) I do NOT get any indication > > that the POSTROUTING chain has been built. > > What do I check next? > > Thanks, BobH > > #-----------<script>--------------------------------------------------------------- > modprobe ip_conntrack_ftp > modprobe ip_nat_ftp > > # Enable IP forwarding between interfaces FIRST (sets defaults for > others) > # Needed for MASQUERADE'ing > echo 1 > /proc/sys/net/ipv4/ip_forward > > # Remove any existing rules from all chains > iptables --flush > iptables -t nat --flush > iptables -t mangle --flush > > # Unlimited traffic on the loopback interface > iptables -A INPUT -i lo -j ACCEPT > iptables -A OUTPUT -o lo -j ACCEPT > > # Unlimited traffic on the local LAN interface > iptables -A INPUT -i eth0 -j ACCEPT > iptables -A OUTPUT -o eth0 -j ACCEPT > > # Set the default policy to drop > iptables --policy INPUT DROP > iptables --policy OUTPUT DROP > iptables --policy FORWARD DROP > > iptables -t nat --policy PREROUTING ACCEPT > iptables -t nat --policy POSTROUTING ACCEPT > > # Remove any pre-existing user-defined chains > iptables --delete-chain > iptables -t nat --delete-chain > iptables -t mangle --delete-chain > > #........................... > # More general rule > > iptables -t nat -A POSTROUTING -o ppp0 \ > -j MASQUERADE > > # Disallow NEW & INVALID incoming or forwarded packets from ppp0 > > iptables -A INPUT -i ppp0 \ > -m state --state NEW,INVALID \ > -j DROP > > iptables -A FORWARD -i ppp0 \ > -m state --state NEW,INVALID \ > -j DROP > > #-----------</script>------------------------------ > > Output of /sbin/iptables --list -nv --line-numbers: > > Chain INPUT (policy DROP 0 packets, 0 bytes) > num pkts bytes target prot opt in out source > destination > 1 0 0 ACCEPT all -- lo * 0.0.0.0/0 > 0.0.0.0/0 > 2 1 76 ACCEPT all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 > 3 0 0 DROP all -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 state INVALID,NEW > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > num pkts bytes target prot opt in out source > destination > 1 0 0 DROP all -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 state INVALID,NEW > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > num pkts bytes target prot opt in out source > destination > 1 0 0 ACCEPT all -- * lo 0.0.0.0/0 > 0.0.0.0/0 > 2 0 0 ACCEPT all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 > > > -- > ------------------------------------------------- > Bob Hillegas > <[EMAIL PROTECTED]> > 281.546.9311 > > > > > > > --__--__-- > > Message: 9 > Date: Tue, 30 Apr 2002 15:49:24 +0100 > To: [EMAIL PROTECTED] > Subject: Re: Compile problems with iptables-1.2.6a > From: <[EMAIL PROTECTED]> > > On Tue, Apr 30, 2002 at 01:44:58PM +0200, Bart Boelaert wrote: > > > >I've only done this twice, so I'm not expert, but would it be worth > you > > >running the "patch-o-matic" to see exactly what patch causes the > error? > > >Plus using the "T" option to test each patch before application > *might* > > give > > >you more information. > > > > Could you please give me the exact make command? I couldn't find the > "T" > > option in the Makefile. > > Read the "FEELING BRAVE?" section of the INSTALL file that comes with > iptables 1.2.6a, you'll see the "T" option if you run "make > patch-o-matic". > > And heed the warnings :) > > -- > FunkyJesus System Administration Team > > > > --__--__-- > > Message: 10 > Date: Tue, 30 Apr 2002 10:53:11 -0400 > From: Ramin Alidousti <[EMAIL PROTECTED]> > To: Bob Hillegas <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: POSTROUTING chain not built... > > Try: > > /sbin/iptables -L -nv -t filter > /sbin/iptables -L -nv -t nat > /sbin/iptables -L -nv -t mangle > > to see everything. > > Ramin > > On Tue, Apr 30, 2002 at 09:23:00AM -0500, Bob Hillegas wrote: > > > I am using RH 7.1, kernel 2.4.9-21 and iptables.1.2.4-0.71.2 from a > RedHat > > rpm. > > > > When I run the following script and then produce a rules listing > > (/sbin/iptables --list -nv --line-numbers) I do NOT get any indication > > > that the POSTROUTING chain has been built. > > > > What do I check next? > > > > Thanks, BobH > > > > > #-----------<script>--------------------------------------------------------------- > > modprobe ip_conntrack_ftp > > modprobe ip_nat_ftp > > > > # Enable IP forwarding between interfaces FIRST (sets defaults for > others) > > # Needed for MASQUERADE'ing > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > > # Remove any existing rules from all chains > > iptables --flush > > iptables -t nat --flush > > iptables -t mangle --flush > > > > # Unlimited traffic on the loopback interface > > iptables -A INPUT -i lo -j ACCEPT > > iptables -A OUTPUT -o lo -j ACCEPT > > > > # Unlimited traffic on the local LAN interface > > iptables -A INPUT -i eth0 -j ACCEPT > > iptables -A OUTPUT -o eth0 -j ACCEPT > > > > # Set the default policy to drop > > iptables --policy INPUT DROP > > iptables --policy OUTPUT DROP > > iptables --policy FORWARD DROP > > > > iptables -t nat --policy PREROUTING ACCEPT > > iptables -t nat --policy POSTROUTING ACCEPT > > > > # Remove any pre-existing user-defined chains > > iptables --delete-chain > > iptables -t nat --delete-chain > > iptables -t mangle --delete-chain > > > > #........................... > > # More general rule > > > > iptables -t nat -A POSTROUTING -o ppp0 \ > > -j MASQUERADE > > > > # Disallow NEW & INVALID incoming or forwarded packets from ppp0 > > > > iptables -A INPUT -i ppp0 \ > > -m state --state NEW,INVALID \ > > -j DROP > > > > iptables -A FORWARD -i ppp0 \ > > -m state --state NEW,INVALID \ > > -j DROP > > > > #-----------</script>------------------------------ > > > > Output of /sbin/iptables --list -nv --line-numbers: > > > > Chain INPUT (policy DROP 0 packets, 0 bytes) > > num pkts bytes target prot opt in out source > destination > > 1 0 0 ACCEPT all -- lo * 0.0.0.0/0 > 0.0.0.0/0 > > 2 1 76 ACCEPT all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 > > 3 0 0 DROP all -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 state INVALID,NEW > > > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > > num pkts bytes target prot opt in out source > destination > > 1 0 0 DROP all -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 state INVALID,NEW > > > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > > num pkts bytes target prot opt in out source > destination > > 1 0 0 ACCEPT all -- * lo 0.0.0.0/0 > 0.0.0.0/0 > > 2 0 0 ACCEPT all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 > > > > > > -- > > ------------------------------------------------- > > Bob Hillegas > > <[EMAIL PROTECTED]> > > 281.546.9311 > > > > > > > > > > > --__--__-- > > Message: 11 > Date: Tue, 30 Apr 2002 11:00:15 -0400 > From: Ramin Alidousti <[EMAIL PROTECTED]> > To: Kaddouch Guillaume <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: "-j REJECT --reject-with icmp-time-exceeded" > > Thanks for the repost. > > On Tue, Apr 30, 2002 at 04:32:48PM +0200, Kaddouch Guillaume wrote: > > > > You should be able to do something like this: > > > > > > -t mangle -A PREROUTING <some restrictions to the rule> j TTL > --ttl-set 0 > > > > I had forgot to say that it is for using with the "fake-source" > > patch-o-matic that is already install to have a rule like this: > > > > ... -j REJECT --reject-with icmp-time-exceeded --fake-source > IPADDR > > > > The rule with "-t mangle ..." doesn't allow me to specify an IP > address. > > OK. Try to set the TTL in PREROUTING: > > -t mangle -A PREROUTING <some restrictions to the rule> j TTL --ttl-set > 0 > > and then when your box generates the time-exceeded in response to this > rule, set the src in POSTROUTING: > > -t nat A POSTROUTING -m ttl --ttl-eq 0 -j SNAT --to IPADDR > > Ramin > > > > > But I haven't the sufficient skill to do myself the patch. > > Is it scheduled? > > > > Or are they an other method? > > > > Thanks for your answers. > > > > Guillaume. > > > > > > > > Ramin > > > > --__--__-- > > _______________________________________________ > netfilter mailing list > [EMAIL PROTECTED] > http://lists.samba.org/listinfo/netfilter > > > End of netfilter Digest >
