From: Patrick McHardy <kaber@trash.net>
To: Vincent Li <vincent.mc.li@gmail.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
netfilter-devel@vger.kernel.org
Subject: Re: How to test netfilter SYNPROXY target properly?
Date: Fri, 3 Jan 2014 13:19:08 +0000 [thread overview]
Message-ID: <20140103131908.GA26268@macbook.localnet> (raw)
In-Reply-To: <CAK3+h2wX3PvcMyNhYWYTnxyQyr9YN_2Mzr21gD4OrpF2P6+TcQ@mail.gmail.com>
On Thu, Jan 02, 2014 at 03:30:21PM -0800, Vincent Li wrote:
> Hi Patrick
>
> I should have put this question in user list instead of dev list, but
> I couldn't find any user based documentation on how to test the
> SYNPROXY target other than the message in the SYNPROXY patch series.
> so here is my setup:
>
> ---packet flow
>
> client 10.1.72.99 (vlan 1101) <->Linux with SYNPROXY rule - 10.1.72.9
> (vlan 1101) 10.2.72.139 (vlan 1102) <->server 10.2.72.99
> ...
> /usr/local/sbin/iptables -A INPUT -i $EXTIF -p tcp --dport 80 -m state
> --state UNTRACKED,INVALID -j SYNPROXY --sack-perm --timestamp --mss
> 1460 --wscale 5
> 00000000 00000000
>
> I think I might miss something and not testing the SYNPROXY properly, any clue?
I guess you need to put the SYNPROXY rule in FORWARD instead of INPUT.
next prev parent reply other threads:[~2014-01-03 13:19 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-02 23:30 How to test netfilter SYNPROXY target properly? Vincent Li
2014-01-03 13:19 ` Patrick McHardy [this message]
2014-01-03 17:24 ` Vincent Li
2014-01-03 17:49 ` Phil Oester
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140103131908.GA26268@macbook.localnet \
--to=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=vincent.mc.li@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.