On Mon, 31 Jan 2005 11:25:31 -0500, Jason Opperisano <opie@xxxxxxxxxxx> wrote: > On Mon, Jan 31, 2005 at 03:29:32PM +0500, Askar wrote: > > hi list, > > > > I'm MARKing packets in PREROUTING of mangle with the below rule to > > route them from other route then the default route .(iproute2 + > > iptables) > > > > $iptables -A PREROUTING -i eth0 -t mangle -s 202.xxx.xxx.0/24 -d 0/0 > > -p tcp --dport 80 -j MARK --set-mark 4 > > > > What I want is to exclude a single IP from the above to be MARKed, i-e > > the particular IP packets goes through default route of the firewall > > machine not through iproute2 route. > > > > Is this possible with iptables or I have to apply pom (extentions) to > > accomplished this? > > two thoughts: 1) ACCEPT the packet from the "excluded IP" prior to the > mark rule or 2) reset the MARK on packets from the "excluded IP" after > the mark rule. > > version 1: > > iptables -t mangle -A PREROUTING -i eth0 -p tcp -s $EXCLUDED_IP \ > --dport 80 -j ACCEPT > > iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 202.xxx.xxx.0/24 \ > --dport 80 -j MARK --set-mark 4 Thanks jason, i go with version 2 and it worked > > version 2: > > iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 202.xxx.xxx.0/24 \ > --dport 80 -j MARK --set-mark 4 > > iptables -t mangle -A PREROUTING -i eth0 -p tcp -s $EXCLUDED_IP \ > --dport 80 -j MARK --set-mark 0 > > version 1 gets packets from $EXCLUDED_IP out of the mangle PREROUTING > chain as quickly as possible. > > version 2 allows packets from $EXCLUDED_IP to continue to traverse > mangle PREROUTING in case you want to do other stuff to it. > > which one is "better" would depend on your specific situation. > > -j > > -- > "I saw this in a movie about a bus that had to SPEED around a city, > keeping its SPEED over fifty, and if its SPEED dropped, it would > explode. I think it was called, 'The Bus That Couldn't Slow Down.'" > --The Simpsons > > -- (after bouncing head on desk for days trying to get mine working, I'll make your life a little easier)
