From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-1?Q?Antonio_P=E9rez?= Subject: Re: layer7 problem Date: Wed, 24 Aug 2005 15:59:54 +0200 Message-ID: <430C7D5A.2080507@telefonica.net> References: <430BC558.8000406@telefonica.net> <430C3676.30904@mnemon.de> <430C3E1E.6060703@telefonica.net> <430C4B93.3080009@mnemon.de> <430C62F7.9040703@telefonica.net> <430C669D.7020501@mnemon.de> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <430C669D.7020501@mnemon.de> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: =?ISO-8859-1?Q?J=F6rg_Harmuth?= Cc: netfilter@lists.netfilter.org J=F6rg Harmuth wrote: >Antonio P=E9rez schrieb: > =20 > >>J=F6rg Harmuth wrote: >> >> =20 >> >>>Antonio P=E9rez schrieb: >>>=20 >>> >>> =20 >>> >>>>Hi Joerg, >>>> >>>>Thanks for your reply, I also tried PREROUTING and also many different >>>>protocols, not only http and the problem remains the same, everything >>>>seems to work properly, no errors, but the number of marked packets >>>>remains empty. >>>>Any idea will be apreciated, thanks. >>>> =20 >>>> =20 >>>> >>>Could you please post the output of iptables-save ? I assume, that some >>>other rules are the culprit ;) >>> >>>Have a nice time, >>> >>>Joerg >>> >>> >>>=20 >>> >>> =20 >>> >>iptables-save >># Generated by iptables-save v1.3.3 on Wed Aug 24 14:05:01 2005 >>*mangle >>:PREROUTING ACCEPT [633:402628] >>:INPUT ACCEPT [633:402628] >>:FORWARD ACCEPT [0:0] >>:OUTPUT ACCEPT [606:91422] >>:POSTROUTING ACCEPT [606:91422] >>-A PREROUTING -m layer7 --l7proto http -j MARK --set-mark 0x1 >>-A PREROUTING -m layer7 --l7proto dns -j MARK --set-mark 0x1 >>-A POSTROUTING -m layer7 --l7proto http -j MARK --set-mark 0x1 >>-A POSTROUTING -m layer7 --l7proto dns -j MARK --set-mark 0x1 >>COMMIT >># Completed on Wed Aug 24 14:05:01 2005 >> =20 >> > >[SNIP] > > =20 > >>I applied layer7 patch to kernel and iptables, do I need to add any >>other path? >> =20 >> > >No, that will do. Well, these rules are fine - but it's only mangle >table. What about filter / nat table ? Any rules in these chains ? Any >policies set to DROP ? > >Have a nice time, > >Joerg > > > =20 > Both nat and filter are empty: iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Thanks for your time.