On Mon 04 Apr 2005 15:31, james jones wrote: > > Now, I've created an iptables rule like this: > > > > iptables -t mangle -I PREROUTING -i eth1 -p tcp -d 192.168.1.218 > > --dport 22 -j > > MARK --set-mark 1 > > I'm most likely wrong but try this: > trade -I PREROUTING for -A FORWARD and see what happens... > > >From http://iptables-tutorial.frozentux.net/iptables-tutorial.html > > 7.2.10. PREROUTING chain of the nat table > > Caution > > The PREROUTING chain should not be used for any filtering since, > among other things, this chain is only traversed by the first packet > in a stream. The PREROUTING chain should be used for network address > translation only, unless you really know what you are doing. > > James Hi James, I'm using PREROUTING in the mangle table not in nat table, it should make a difference. But just for the sake of it, I have tried FORWARD chain in the mangle table and still nothing. The mangle table should take precedence to nat table (this is how I remember - I could be wrong so please advise), and if so then the packets should be marked prior to any routing decision, that's the whole catch for policing ingress traffic. And just for the peace of mind I'm not doing more then marking in that mangle table (PREROUTING chain). Thanks anyway for the tip, Adrian _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
