packets scan
Patrick Schaaf
bof@bof.de
Mon, 30 Jul 2001 23:40:59 +0200
> I'm sure the answer to my question is very easy, but I just don't see it
> yet...
Keep the proposed rules, but replace mangle with nat, and QUEUE with REDIRECT.
Have a listener on the --to-port. The listener uses SO_ORIGINAL_DST to
inquire about the server the user is trying to connect to. The listener
then connects to that server. After that, copy data hence and forth,
applying filtering artificial intelligence where useful.
One good thing about REDIRECT: when you change the iptables rule,
e.g. remove the REDIRECT, all already-redirected TCP connections
keep working.
One bad thing about REDIRECT, as with all nat: you need ip_conntrack.
This is only bad if you don't want ip_conntrack. Me, I love it.
regards
Patrick