On Sep/25/2001, Shanker Balan wrote: > Is it possible to use the Iptable's "established,related" functions to > mark FTP data traffic and then use the "fw" classifier on it? yes, using ip_conntrack_ftp, it will be something like this (take a look at http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html) iptables -A OUTPUT -t mangle -o $IF_LAN -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j MARK --set-mark 1 passive ftp-data traffic will be marked with this rule, but this is very generic and may catch other traffic totally unrelated to an ftp communication... (ie. a dcc send using ip_conntrack_irc) ivan
