On Tuesday 27 July 2004 2:57 pm, Marcin Sura wrote:
> Tuesday, July 27, 2004, 2:59:13 PM, you wrote:
> > No need to MARK the packets (unless you want the MARKs for something
> > else?),
>
> Yes, I need MARKs for traffic shaping. Sorry, I forgot to mention this.
Okay, no problem, continue MARKing them then, but I still think you can count
them in FORWARD mangle.
> > and you can specify input & output interface in the FORWARD table to
> > identify which way through your firewall the packets are going.
>
> Ok, so I change the rules (i still use statsin and statsout for ...
> hmm ... order :)
>
> $IPTABLES -t mangle -A FORWARD -i $LOCAL_IF -o $INET_IF -j statsout
> $IPTABLES -t mangle -A FORWARD -i $INET_IF -o $LOCAL_IF -j statsin
No, don't put the "-j statsout" or "-j statsin" at the end. The rule I
suggested previously is actually complete:
iptables -A FORWARD -t mangle -i eth0 -o ppp0 -p tcp --dport ssh
You do not need to have a "-j target" at the end of a rule if you don't want
one. The above rule will still count the packets, and you can see the
packet/byte counters with "iptables -L FORWARD -t mangle -nvx".
Regards,
Antony.
--
"It would appear we have reached the limits of what it is possible to achieve
with computer technology, although one should be careful with such
statements; they tend to sound pretty silly in five years."
- John von Neumann (1949)
Please reply to the list;
please don't CC me.
