In my preceding example, I had enabled the connection tracking:
iptables -t mangle -A PREROUTING -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -t mangle -A POSTROUTING -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -t mangle -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
This was definately your problem. How is this "connection tracking" ? all these rules say is, if the state matches established or related, then accept it. When that happens, no further processing is done. You basically made all packets for previously established or related connections not get marked as they left the chain before the mark targets. Running :
iptables -t mangle -L -xvn
Would have likely shown hardly any hits to the set mark rules, and the majority of the packets hitting those above 5 rules.
And, I mark the paquet with this rule :
iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark
3389
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80
That did not run ! :(
<snip>
Can you say to me if it is the good method?
I am astonished to mark the packets on the three output interface.
I only think you needed to either remove those -j ACCEPT targets, optionally change it so they are at the end of the chain, or atleast after the -j MARK targets.
- Jody
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
