Re: Help please with tc and iptables mark

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Message: 1
> Date: Mon, 4 Apr 2005 12:06:35 +0100
> From: Adrian Turcu <adrian.turcu@xxxxxxxxxxxxxxxxxx>
> Subject:  Help please with tc and iptables mark
> To: lartc@xxxxxxxxxxxxxxx
> Message-ID: <200504041206.35593.adrian.turcu@xxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
> 
> Hello list members,
> 
> Finaly I'm here after a week of trying to subscribe to this list...
> pfew...
> 
> Anyway... I have a rather strange problem with tc. I am trying to
> police the 
> ingress traffic into my network using the iptables MARK feature (in
> mangle 
> table, PREROUTING) but it seems that tc filters ignore this marks
> and they 
> don't work at all for me. Let me explain a bit more in detail:
> 
> I have a server behind my linux-firewall box (firewall is with
> 2.6.10 kernel 
> custom build, iproute2-2.6.11, iptables-1.3.1, gcc-3.4.3), for
> which server I 
> want to limit the incoming traffic to certain limits (I choose for
> test 
> 100kbit rate, 100kbit burst, mtu 1500). The server IP address
> behind the 
> firewall is 192.168.1.218 attached to eth0 interface. Interface
> eth1 on the 
> firewall faces the incoming traffic from the outside world:
> 
> 			 eth0       eth1
> Server|----------|linux|----------|outside
>     192.168.1.0/24     192.168.2.0/24
> .218           .99     .100
> 
> 
> Now, I've created an iptables rule like this:
> 
> iptables -t mangle -I PREROUTING -i eth1 -p tcp -d 192.168.1.218
> --dport 22 -j 
> MARK --set-mark 1
I'm most likely wrong but try this:
trade -I PREROUTING for -A FORWARD and see what happens...

>From http://iptables-tutorial.frozentux.net/iptables-tutorial.html
7.2.10. PREROUTING chain of the nat table

Caution	

The PREROUTING chain should not be used for any filtering since,
among other things, this chain is only traversed by the first packet
in a stream. The PREROUTING chain should be used for network address
translation only, unless you really know what you are doing. 

James
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux