--- Daniel Chemko <dchemko@xxxxxxxxxx> wrote: > > >Good point. Is there any reason I shouldn't put my rules on the mangle > >POSTROUTING table and kill 2 birds with one rule? > > > None that I can see, though I must admit that I swear sometimes I see > packets missing POSTROUGING; though, I blame that on my bogon ray > generator, and not Netfilter itself. > > Ok let me hop back in here... and mke sure I understand this so I don't insert bad rules in my firewall... Jeff reccomends... iptables -t mangle -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08 Ok I can see that this is making TOS changes for http service on the TCP protocol. (Quick Side q here but is udp affected by TOS???). Which I can see as being useful if you have cooperative routers between you and the peer user... but Daniel reccomends... You probably want this on the FORWARD chain to boost the performance of your actual client machines instead of just the firewall. Why place it in the FOWARD chain? Question back at Jeff here too... Is the OUTPUT chain really the right place for me? I mean yes I know it would be good to change TOS in OUTPUT but doesn't that affect only the Linux box? My NAT goes through .... iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 68.119.x.x so how could I go about changing the TOS of SNAATed packets? Is it even possible? Thanks Guys... keep it coming. SBlaze ===== In the absence of order there will be chaos. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
