Jason Opperisano wrote:
On Wed, Nov 10, 2004 at 04:42:46PM +0100, Moritz Gartenmeister wrote:
is the first role in the mangle chain. iptables -t mangle -A PREROUTING -m mark --mark 0x8 -j ACCEPT
are you filtering packets in MANGLE?
yes i do, but i don't drop packets, except malformed packets (like: if the packet is coming from inside, then it must have an ip from the private net 172.17.0.0/16, else drop).
and i use mark to classify packets: mark 2 for all p2p-packets mark 3 for all http-packets and so on... (none with 8)
this marks are used later for tc.
one check rule in mangl POSTROUTING
iptables -t mangle -A POSTROUTING -m -mark --makr 0x8 -j LOG --log-prefix IPT_MARK
are you getting logs out of this rule? if so--do the src/dst IP's look like they should?
yes they do. but i think, that not all packets are dnatted, although they are correctly marked.
my observation: number of packets differ... ebtables 213 packets prerouting mangle 200 packets
this numbers should be the same, because there is no rule between.
prerouting nat 118 packets postrouting mangle 93 packets
any explanations? the number should be at least the same. i don't understand this. the filter-rules
seem to work properly...
i think you need to describe the relative locations of the client, bridge, and web server.
users -- filter-server -- switch -- gw | | webserver
it sounds like it could be a routing problem.
hm... this is the only connection, which is routed. the rest of the traffic is just marked and shaped with tc.
moritz -- Uplink student association Moritz Gartenmeister Bülachstrasse 1 F 8057 Zürich Switzerland
