From mboxrd@z Thu Jan 1 00:00:00 1970 From: FB Date: Fri, 09 Jul 2004 18:58:36 +0000 Subject: Re: [LARTC] Layer 7 netfilter not working Message-Id: <40EEEADC.1060406@flintz.de> List-Id: References: <40EED18F.4050804@flintz.de> In-Reply-To: <40EED18F.4050804@flintz.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Jason Boxman wrote: > That's not necessary. You might be creating more work for yourself. I just > recycled the Debian iptables package, which is still 1.2.9 I believe. You'll > need to patch it and create the appropriate dot file for the build to > succeed, but after that I just rebuild the package with 'debuild -uc -us' and > copied it to my compiler-less router. I'm using 2.6.6, but I'm sure 2.6.7 > should work fine. Ok, it may not be necessary, but shouldn't be the source of the problem, or? Should work with iptables 1.2.11 all the same or are there some issues there? > I believe the documentation mentions that layer7 works best when it can see > both 'sides' of the connection. If you're filtering through INPUT or OUTPUT > you're missing half. Check the ftp protocol match. Does it rely on seeing > both sides of the connection to match up? > > Try matching in FORWARD, PREROUTING, or POSTROUTING. I believe these see all > sides of the connection. Doesn't change anything :-( BTW, when I use the setting from the NETFILTER HOWTO page: iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j MARK --set-mark 1 and change it (as written in the howto under "blocking") to: iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j REJECT I get an "iptables: Invalid Argument" when executing the script, how that? (I must admit that I am not that iptable expert, so excuse some lack of knowledge of all the chains and structures ;) ) -FB _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/