OK. My question is: where are you doing the ftp from? 1) When you use OUTPUT the packets originating from your firewall will be marked. 2) When you use INPUT the packets destined for your firewall will be marked. (you don't use this because it's too late for tc). 3) When you use PREROUTING the packets received from the network will be marked. 4) When you use POSTROUTING the packets leaving your firewall will be marked. (you don't use this because it's too late for tc). It all depends on your application, what you want to mark, in which direction and where in the forwarding process. Ramin On Thu, May 17, 2001 at 05:57:35PM -0400, johan@xxxxxxxxxxxxxx wrote: > This is the result when I use with OUTPUT chain > > 150 Opening BINARY mode data connection for iproute-2.2.4-2.i386.rpm (327439 > bytes). > 226 Transfer complete. > 327439 bytes received in 21 secs (15 Kbytes/sec) > > With configuration like this > > bash# iptables -t mangle -L > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > MARK tcp -- fvbs.pinguind.co.id anywhere state RELATED,ESTABLISHED MARK set 0x1 > MARK tcp -- fvbs.pinguind.co.id anywhere tcp spt:www MARK set 0x2 > > ---[ eth0: configured classes ]--------------------------- > > class cbq 10: root rate 10Mbit (bounded,isolated) prio no-transmit > class cbq 10:2 parent 10: rate 10Mbit prio 4 > class cbq 10:4 parent 10:2 leaf 8001: rate 128Kbit prio 4 > class cbq 10:5 parent 10:2 leaf 8002: rate 256Kbit prio 4 > > ---[ eth0: queueing disciplines ]------------------------- > > qdisc tbf 8002: rate 256Kbit burst 10Kb lat 190.7ms > qdisc tbf 8001: rate 128Kbit burst 10Kb lat 381.5ms > qdisc cbq 10: rate 10Mbit (bounded,isolated) prio no-transmit > > > On Wed, May 16, 2001 at 07:30:57PM -0400, Ramin Alidousti wrote: > > Aren't you making any mistake here, Johan? OUTPUT chain is meant > > for the outgoing packets from the firewall itself. What Jaco is > > doing is receiving packets from the network which will never pass > > the OUTPUT chain. > > > > Ramin > > > > On Thu, May 17, 2001 at 06:29:00AM -0400, johan@xxxxxxxxxxxxxx wrote: > > > > > I had ever met this condition > > > I change chain rule at iptables,try like this > > > > > > iptables -I OUTPUT -t mangle -p tcp -s 0/0 -d 192.168.62.0/24 -j MARK > > > --set-mark 1 > > > > > > and it works. > > > > > > Regards > > > > > > Johan > > > > > > On Wed, May 16, 2001 at 11:07:07AM -0400, Ramin Alidousti wrote: > > > > I assume that the packets come in on eth0, right? And I'm not sure > > > > if the mangle table sees the destination as 192.168.62.0/24 or as > > > > the original destination address. Try this: > > > > > > > > iptables -A PREROUTING -t mangle -p tcp -i eth0 -d 192.168.62.0/24 \ > > > > -j MARK --set-mark 1 > > > > > > > > If it doesn't work, try: > > > > > > > > iptables -A PREROUTING -t mangle -p tcp -i eth0 -d <orig dst IP's> > > > > -j MARK --set-mark 1 > > > > > > > > Hope it works, > > > > Ramin > > -- > - '- > (o o) > ---------ooO--(_)--Ooo------------------------------------------------- > ( )/ \( )( ) ( ) ( \( ) Visit us at http://www.pinguind.co.id > __)(( () ))__( /__\ ) ( Feel free to contact me at ICQ #47240718 > (___/ \__/(_)(_)(_)(_)(_)\_) email:johan@xxxxxxxxxxxxxx > ----------------------------------------------------------------------- > > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/ -- Ramin Alidousti ramin@xxxxxx Advanced Development tel +1 703 886 2640 UUNET, A WorldCom Company fax +1 703 886 0536
