Re: CHANGING the routing for established connections.

[guy keren]

On 29 Oct 2002, Meir Michanie wrote:

 with nat table and DNAT target you can redirect new connections.
 but how can you break all ready established connections and redirect to
 a certain ip?
 
 mangle support established connections but do not support DNAT.

i think at least in the vanilla kernel, this is not supported. normally, 
you can not redirect an already established connection.

this makes sense - how would the new target machine know how to 
synchronize in on an already established connection, that has an 
established state, and established sequence numbers, etc?

can you explain why you find the need to redirect alerady established 
connections? perhaps this can be remedied...

-- 
guy

For world domination - press 1,
 or dial 0, and please hold, for the creator. -- nob o. dy


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: CHANGING the routing for established connections.

[Meir Michanie]

I am trying to set up a network where the clients first have only access
to my intranet apache server, it does some kind of authentication, i
arping his ip and set up the firewall to let the forwarding of his
computer to the internet even do if he reboot or change IP.
 1 state:
iptables -t nat -A PREROUTING -j DNAT --to-destination 10.0.10.2

2 state:

iptables -t nat -I PREROUTING  -m mac  --mac --mac-source
00:20:18:2D:6B:20 -j   ACCEPT

everything is fine till here, but lets say that I want to allow traffic
to the internet from this client for a limited amount of time (i.e. 30
mins)

I would build a crontab job to delete the last iptable rule.

iptables -t nat -D PREROUTING  -m mac  --mac --mac-source
00:20:18:2D:6B:20 -j   ACCEPT

This works if the client now tries to reach a new url.
but if he was browsing a site (i.e. hotmail)
he will continue as nothing happened.

I would not care about killing his etablished connection. On
resestablishing he would be forward it to my server.






On Tue, 2002-10-29 at 07:45, guy keren wrote:
 
 On 29 Oct 2002, Meir Michanie wrote:
 
  with nat table and DNAT target you can redirect new connections.
  but how can you break all ready established connections and redirect to
  a certain ip?
  
  mangle support established connections but do not support DNAT.
 
 i think at least in the vanilla kernel, this is not supported. normally, 
 you can not redirect an already established connection.
 
 this makes sense - how would the new target machine know how to 
 synchronize in on an already established connection, that has an 
 established state, and established sequence numbers, etc?
 
 can you explain why you find the need to redirect alerady established 
 connections? perhaps this can be remedied...
 
 -- 
 guy
 
 For world domination - press 1,
  or dial 0, and please hold, for the creator. -- nob o. dy
 
 
-- 
QOTD:
I tried buying a goat instead of a lawn tractor; had to return
it though.  Couldn't figure out a way to connect the snow blower.


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]