issue with layer 7 filter

Net_Spy · 04-10-2009, 07:24 AM

Greetings to All,

Guys I just configured an other machine-1 (gateway) for layer 7 filer that will handle sip , h323 , rtp requestt It has two inter faces one is wan and other is for out ( lan )with that lan I connect connect an other machine-2 (proxy) with cross cable that machine have lan interface for my local area network and cross cable connected interface will become wan for this machine.

I set the rule on forwad chain like below rule

Code:

$IPTABLES -t mangle   -A FORWARD -i eth0 -m layer7 --l7proto skypeout -j DROP

eth0 is the interface of machine-1 gateway and I set the rule there , I only enabled teh forwarding on that machine.

Now the problem Im facing is that I can not sign in hotmail , yahoo messenger and such other sites , on machine-2 Ive NAT enabled . Looking forward for your kind response

Regards
Net_Spy

rossonieri#1 · 04-10-2009, 03:40 PM

hi,

does your net look something like this?

Code:

internet --- machine1 --- machine2 --- LAN?

and, what do you mean by this?

Quote:

eth0 is the interface of machine-1 gateway and I set the rule there , I only enabled teh forwarding on that machine.

Now the problem Im facing is that I can not sign in hotmail , yahoo messenger and such other sites , on machine-2 Ive NAT enabled

so, did you create NAT on the machine2 instead of on machine1?
you just can not do that unless your machine1 (both interface WAN & to_machine2) using valid public IPs, and as well as on machine2 to_machine1 interface.

so, put that NAT-MASQUERADE on machine1 and use route to forward traffic from machine1 to LAN, or you can double NAT on machine1 and 2.

HTH.