layer7 problem

Antonio Pérez aperlu at telefonica.net
Wed Aug 24 15:59:54 CEST 2005


Jörg Harmuth wrote:

>Antonio Pérez schrieb:
>  
>
>>Jörg Harmuth wrote:
>>
>>    
>>
>>>Antonio Pérez schrieb:
>>> 
>>>
>>>      
>>>
>>>>Hi Joerg,
>>>>
>>>>Thanks for your reply, I also tried PREROUTING and also many different
>>>>protocols, not only http and the problem remains the same, everything
>>>>seems to work properly, no errors, but the number of marked packets
>>>>remains empty.
>>>>Any idea will be apreciated, thanks.
>>>>  
>>>>        
>>>>
>>>Could you please post the output of iptables-save ? I assume, that some
>>>other rules are the culprit ;)
>>>
>>>Have a nice time,
>>>
>>>Joerg
>>>
>>>
>>> 
>>>
>>>      
>>>
>>iptables-save
>># Generated by iptables-save v1.3.3 on Wed Aug 24 14:05:01 2005
>>*mangle
>>:PREROUTING ACCEPT [633:402628]
>>:INPUT ACCEPT [633:402628]
>>:FORWARD ACCEPT [0:0]
>>:OUTPUT ACCEPT [606:91422]
>>:POSTROUTING ACCEPT [606:91422]
>>-A PREROUTING -m layer7 --l7proto http -j MARK --set-mark 0x1
>>-A PREROUTING -m layer7 --l7proto dns -j MARK --set-mark 0x1
>>-A POSTROUTING -m layer7 --l7proto http -j MARK --set-mark 0x1
>>-A POSTROUTING -m layer7 --l7proto dns -j MARK --set-mark 0x1
>>COMMIT
>># Completed on Wed Aug 24 14:05:01 2005
>>    
>>
>
>[SNIP]
>
>  
>
>>I applied layer7 patch to kernel and iptables, do I need to add any
>>other path?
>>    
>>
>
>No, that will do. Well, these rules are fine - but it's only mangle
>table. What about filter / nat table ? Any rules in these chains ? Any
>policies set to DROP ?
>
>Have a nice time,
>
>Joerg
>
>
>  
>
 Both nat and filter are empty:

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Thanks for  your time.













More information about the netfilter mailing list