packets scan

[Brad Chapman]

Mr. Schaaf,

   That's one of the advantages of using QUEUE. You don't need ip_conntrack.
I'm not bad-mouthing it, but the last thing you want is somebody to DoS your
conntrack module and block your virus scanner.

Brad

Patrick Schaaf wrote:

>> I'm sure the answer to my question is very easy, but I just don't see it 
>> yet...
> 
> 
> Keep the proposed rules, but replace mangle with nat, and QUEUE with REDIRECT.
> Have a listener on the --to-port. The listener uses SO_ORIGINAL_DST to
> inquire about the server the user is trying to connect to. The listener
> then connects to that server. After that, copy data hence and forth,
> applying filtering artificial intelligence where useful.
> 
> One good thing about REDIRECT: when you change the iptables rule,
> e.g. remove the REDIRECT, all already-redirected TCP connections
> keep working.
> 
> One bad thing about REDIRECT, as with all nat: you need ip_conntrack.
> This is only bad if you don't want ip_conntrack. Me, I love it.
> 
> regards
>   Patrick
> 
> 
>