Mon, 30 Jul 2001 20:09:43 -0400
That's one of the advantages of using QUEUE. You don't need ip_conntrack.
I'm not bad-mouthing it, but the last thing you want is somebody to DoS your
conntrack module and block your virus scanner.
Patrick Schaaf wrote:
>> I'm sure the answer to my question is very easy, but I just don't see it
> Keep the proposed rules, but replace mangle with nat, and QUEUE with REDIRECT.
> Have a listener on the --to-port. The listener uses SO_ORIGINAL_DST to
> inquire about the server the user is trying to connect to. The listener
> then connects to that server. After that, copy data hence and forth,
> applying filtering artificial intelligence where useful.
> One good thing about REDIRECT: when you change the iptables rule,
> e.g. remove the REDIRECT, all already-redirected TCP connections
> keep working.
> One bad thing about REDIRECT, as with all nat: you need ip_conntrack.
> This is only bad if you don't want ip_conntrack. Me, I love it.