* proxy and quotas
@ 2015-05-24 19:11 Yan Seiner
0 siblings, 0 replies; only message in thread
From: Yan Seiner @ 2015-05-24 19:11 UTC (permalink / raw)
To: netfilter
I'm trying to get quotas working. Earlier I posted a query about the
proxy module not working correctly. In my attempts to diagnose the
problem I came up with another issue.
Right now, the 'guests' - those users who do not have credentials - use
an unsecured network. I am trying to figure out how to limit them to a
quota.
However, I also have proxy which gives my guests the ability to get to
the internet either directly through the FORWARD chain or via the proxy
through the INPUT chain.
So.... If I want to limit a user to a hard quota, how should I
structure my iptables rules?
Not all packets go through the PREROUTING chain, and once the routing
decision is done, they go either through the INPUT chain to the proxy or
through the FORWARD chain to the outside via POSTROUTING.
On the return leg they repeat the process; come in on PREROUTING, get
de-MASQ'd, and either go through FORWARD or INPUT and then out to the
guest user via POSTROUTING.
I could put my accounting rules in POSTROUTING but then I lose the
source or destination information.
Is there a place in PRE- or POSTROUTING that is guaranteed to see every
packet?
Thanks.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-05-24 19:11 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-24 19:11 proxy and quotas Yan Seiner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox