On Wed, Nov 03, 2004 at 08:17:18PM +0200, Abraham van der Merwe wrote:
> Hi!
>
> If I add
>
> # rules to track ftp
> iptables -t mangle -A POSTROUTING -p tcp -j CONNMARK --restore-mark
> iptables -t mangle -A POSTROUTING -p tcp -m mark ! --mark 0 -j RETURN
> iptables -t mangle -A POSTROUTING -p tcp --dport 21 -j MARK --set-mark 2
> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
>
> # a rule to see how much ftp traffic is matched
> iptables -t mangle -A POSTROUTING -m mark --mark 2
>
> Now if I ftp some data I can see that all of the traffic is not matched by
> looking at the byte counter of the rule above.
>
> What am I doing wrong? I am pretty sure the ftp-data connection is not being
> tracked, but surely the conntrack_ftp module should do all the hard work for
> me?
try using helper to match FTP traffic:
iptables -t mangle -A POSTROUTING -m helper --helper ftp
-j
--
"Dear Mr. President, there are too many states nowadays, please
eliminate three. I am not a crackpot."
--The Simpsons
