On 2013-10-02 06:35, James Harper wrote:
If the counters are not increasing then your rule isn't being hit, so nothing else is going to work.
Are the packets being generated on the same box as is running the iptables rule?
I just did a test:
# iptables -t mangle -I PREROUTING -p tcp --dport 1194 # telnet 1.2.3.4 1194 # iptables -t mangle -vnL PREROUTING
And the counters are 0, indicating that the rule is not being hit. If I try the telnet from a machine behind that one, the counters do increase. So it would seem that PREROUTING doesn't get hit for locally generated packets.
If you put the iptables rule on the OUTPUT table the rule will get hit (I just tested this), but that might be too late for routing to be affected. Give it a go though as it should be easy to test. I think I'm doing that on my router.
Page 3 of the O'Reilly Linux iptables Pocket Reference shows how packets traverse the system, and confirmd that in the mangle table, the first thing that a local packet hits is the OUTPUT, and it never hits PREROUTING: http://techedu.cu.cc/linux/OReilly%20Linux%20iptables,%20Pocket%20Reference%... -- Regards, Matthew Cengia