From: Doug Kehn <rdkehn@yahoo.com>
To: netfilter@vger.kernel.org
Subject: conntrack and PREROUTING
Date: Thu, 19 Jun 2008 16:57:18 -0700 (PDT) [thread overview]
Message-ID: <869998.64693.qm@web52012.mail.re2.yahoo.com> (raw)
Hi All,
Is the PREROUTING chain bypassed if a connection is ESTABLISHED? There are hints to this in the documents I've read but I haven't found anything definitive.
I'm using Dansguardian with TinyProxy with the following rule:
iptables -t nat -A PREROUTING -d ! 192.168.2.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
Everything is working, from a proxy perspective, as expected. However, if I play a high bit-rate (>4 Mbps) video stream over HTTP, the playback is very choppy. The choppiness is due to ACK latency through the proxy. (Video playback is fine if I remove the proxy.)
I know I could just create a nat PREROUTING rule to bypass the proxy for the site I'm attempting to stream video from but I'm looking for a more general solution. Thus, what I'm attempting to do is have ACKs bypass the proxy after the connection is ESTABLISHED. I tried using the raw table in PREROUTING but the my rule was never hit. (Thus, the reason for my first question.) The raw table rules I attempted were:
iptables -t raw -A PREROUTING -d ! 192.168.2.0/255.255.255.0 -i br0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m tcp --dport 80 -m state --state ESTABLISHED -j NOTRACK
-and-
iptables -t raw -A PREROUTING -d ! 192.168.2.0/255.255.255.0 -i br0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m tcp --dport 80 -m conntrack --ctstate ESTABLISHED -j NOTRACK
Is what I'm attempting to do possible with the existing implementation? Does this even make sense?
I'm attempting to do this on a home router that is running Linux 2.6.18 with iptables v1.3.7-20070509
Thanks,
...doug
next reply other threads:[~2008-06-19 23:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-19 23:57 Doug Kehn [this message]
2008-06-20 7:45 ` conntrack and PREROUTING Jan Engelhardt
2008-06-20 10:21 ` Patrick McHardy
2008-06-20 10:55 ` Jan Engelhardt
2008-06-20 13:16 ` Doug Kehn
2008-06-20 13:26 ` Patrick McHardy
2008-06-20 13:58 ` Doug Kehn
2008-06-20 12:49 ` Doug Kehn
2008-06-20 13:03 ` Gáspár Lajos
2008-06-20 13:34 ` Doug Kehn
2008-06-20 14:18 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=869998.64693.qm@web52012.mail.re2.yahoo.com \
--to=rdkehn@yahoo.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.