Marking with firewall

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

I've been trying to do the above and read everything I can find on
Google on the subject, but something seems to be going wrong.  I tried
the following sample rules in iptables (initially I just set the first
one, but I added more as my desperation escalated):

	iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 1
	iptables -A FORWARD -p icmp -j MARK --set-mark 1
	iptables -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 1

With the following in my traffic shaping script:

	tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw
classid 12:0

The problem is that all ICMP traffic is going out of the default queue
(classid 15:0) even though the firewall is catching it (checking the
packet counts with 'iptables -t mangle -L -nvx' and 'iptables -L -nvx'
shows packets were being caught).  So, why are the filters not catching
the packets?  What obvious mistake have I made?  :)

Many thanks for any help,

Mark Lidstone
IT and Network Support Administrator

BMT SeaTech Ltd
Grove House, Meridians Cross, 7 Ocean Way
Ocean Village, Southampton.  SO14 3TJ. UK
Tel: +44 (0)23 8063 5122         
Fax: +44 (0)23 8063 5144

E-Mail:  mailto:mark.lidstone@xxxxxxxxxxxxxxxx
Website: www.bmtseatech.co.uk
========================================================================
==
Confidentiality Notice and Disclaimer: 
The contents of this e-mail and any attachments are intended only for
the
use of the e-mail addressee(s) shown. If you are not that person, or one
of those persons, you are not allowed to take any action based upon it
or
to copy it, forward, distribute or disclose the contents of it and you
should please delete it from your system. BMT SeaTech Limited does not
accept liability for any errors or omissions in the context of this
e-mail
or its attachments which arise as a result of Internet transmission, nor
accept liability for statements which are those of the author and not
clearly made on behalf of BMT SeaTech Limited.
========================================================================
==
  
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux