POSTROUTING chain of which table?
NAT should not affect things, as long as - as you say - both directions
are going through the box.
It sounds like you are "not sure" if it's working.
Use connmark target too to save the mark in the conntrack and look in
/proc/net/ip_conntrack
Also use iptables -vn ... -L
to see that l7 count go up as more packets for matched conntracks go by.
Sam
* John Philips wrote, On 17/01/07 16:37:
> Hey guys,
>
> Here's an easy one.
>
> Is it possible to use the l7-filter extension on a box
> that performs NAT? The HOWTO says the filter only
> works 100% of the time if it can see both sides of the
> connection. I tried putting the l7 MARK rules in the
> POSTROUTING chain on a box that does NAT and it does
> successfully mark some packets. I'm not 100% sure if
> it's working, or if it should work this way.
>
> I've searched the mailing list archives and Google but
> haven't found an answer.
>
> Thanks!
>
>
>
> ____________________________________________________________________________________
> Never miss an email again!
> Yahoo! Toolbar alerts you the instant new Mail arrives.
> http://tools.search.yahoo.com/toolbar/features/mail/
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> L7-filter-developers mailing list
> L7-filter-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/l7-filter-developers
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
|