Krystian wrote:
> hi
>
> i have a router/nating box with linux on it. can anybody tell me how
> to mark outgoing ftp active/passive connections ?
If you mark a conntrack with the CONNMARK extension, the RELATED traffic
to that session are also marked. Otherwise, you have to make all RELATED
traffic with a single mark.
The best way to apply marks would be a sub-chain so that you can process
other operations after MARKING them. PS this is from memory so syntax
could be off a bit.
# Ingress marking (mostly for Ingress filters and Policy Routing)
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -d 0/0 --dport 21 -j MARK --set-mark
0x111
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
# Egress marking (mostly for QOS operations)
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK
--set-mark 0x111
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
