From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andy Furniss <andy.furniss@dsl.pipex.com>
Date: Fri, 22 Apr 2005 23:34:27 +0000
Subject: Re: AW: AW: AW: AW: [LARTC] Activate ingress policies on suse enterpr
Message-Id: <42698A03.4000402@dsl.pipex.com>
List-Id: <lartc.vger.kernel.org>
References: <E650DED25A93D71184B80002B3CC411D84F54A@vies1a1a.sie.siemens.at>
In-Reply-To: <E650DED25A93D71184B80002B3CC411D84F54A@vies1a1a.sie.siemens.at>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org

Grames Gernot wrote:
> Hi,
> 
> So far, if have understand correctly: I route the incoming tcpip message of
> port 8099 directly to 8080 and then the ingress filter on port 8099 has
> nothing to do!?
> 
> Yes I think on different interface on one machine (different Ports for
> different Request, with different restriction).
> 
> What has exactly to be done to set the policier before Prerouting!
> Which kernel options, or also extra modules!?

On recent kernels if you select packet action in Qos and/or fair queuing 
of config the policer will be before PREROUTING.

> 
> Or how it can be done on iptable level??

You could have your DNAT rule only for packets from the interface you 
want eg .... -i eth1 DNAT ...... would only do packets inbound from eth1.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc