> I can do both, but not at the same time. My idea was: > 1. Sort the traffic by (LAN, Company, WWW) > 2. LAN, Company forward without shaping, put no mark on this packets. > 3. Sort WWW-traffic by application into three buckets (chains...) > 3.1 SSH, SSL connections to bucket 1, mark this packets with 1. > 3.2 HTTP, SMTP, FTP connections to bucket 2, mark this packets with 2 > 3.3 the rest to bucket 3, mark this packtets with 3. i *think* this was the part of your message that contained your actual question. you're correct that "-j MARK" only works in MANGLE, and MANGLE doesn't allow jumping to custom chains; however, i don't see how what you want to do is impossible: # don't mark packets from the LAN iptables -t mangle -A PREROUTING -i $INT_IF -s $LAN -j ACCEPT # SSH, SSL get mark 1 iptables -t mangle -A PREROUTING -i $INT_IF -p tcp --dport 22 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -i $INT_IF -p tcp --dport 443 -j MARK --set-mark 1 # HTTP, SMTP, FTP get mark 2 iptables -t mangle -A PREROUTING -i $INT_IF -p tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -i $INT_IF -p tcp --dport 25 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -i $INT_IF -p tcp --dport 21 -j MARK --set-mark 2 # anything else gets mark 3 iptables -t mangle -A PREROUTING -i $INT_IF -j MARK --set-mark 3 i venture to guess that i'm completely missing your point, as this doesn't seem that complicated. maybe you need to re-phrase what your actual question is? -j
