Re: Marks not working...

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Are you using your firewall as a router, ie is the p2p traffic coming
from another PC through the firewall?

If so, I think your rules need to go in the FORWARD chain not in the
OUTPUT chain.

Another thing to remember is that ipp2p is not 100% reliable at
matching. Have you tried something simpler first such as matching on
source address?

Andy Beverley


On Sat, 2007-02-03 at 01:44 +0000, tomdeb wrote:
> Hi,
> 
> I am experimenting a little bit with my firewall and I don't seem to get
> my head round marks ...
> 
> I try to mark p2p packets generated on the firewall in the output chain
> and then try to match that mark either in NAT OUTPUT or POSTROUTING
> 
> I don't seem to get the expected result. 
> 
> Any help or clue would be more than welcome.
> 
> 
> root@droopy:~/firewall > iptables-view -t mangle
> Chain PREROUTING (policy ACCEPT 33890 packets, 16M bytes) num   pkts bytes target     prot opt in     out     source destination
> 
> Chain INPUT (policy ACCEPT 24751 packets, 12M bytes) num   pkts bytes target     prot opt in     out     source destination
> 
> Chain FORWARD (policy ACCEPT 9146 packets, 4557K bytes) num   pkts bytes target     prot opt in     out     source destination
> 
> Chain OUTPUT (policy ACCEPT 59M packets, 61G bytes) num   pkts bytes target     prot opt in     out     source destination
> 1        3   324 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0           ipp2p v0.8.2 --ipp2p LOG flags 0 level 4 prefix ` OUT IPP2P '
> 2        3   324 MARK       0    --  *      *       0.0.0.0/0 0.0.0.0/0           ipp2p v0.8.2 --ipp2p MARK set 0x2
> 
> Chain POSTROUTING (policy ACCEPT 32911 packets, 7397K bytes) num   pkts bytes target     prot opt in     out     source destination
> root@droopy:~/firewall > iptables-view -t nat
> Chain PREROUTING (policy ACCEPT 973 packets, 62249 bytes) num   pkts bytes target     prot opt in     out     source destination
> 
> Chain POSTROUTING (policy ACCEPT 227 packets, 14178 bytes) num   pkts bytes target     prot opt in     out     source destination
> 1        0     0 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0           MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P '
> 
> Chain OUTPUT (policy ACCEPT 226 packets, 14172 bytes) num   pkts bytes target     prot opt in     out     source destination`
> 1        0     0 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0           MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P '
> 
> T o M
> 
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux