Hi, On Sunday, 2008 October 12 at 19:12:58 +0200, okahei@xxxxxxxxx wrote: > Hello list. > > I've got a question with CONNMARK target. > > It's possible to mark whole connection playing with this parameter ? > > What i want is when a packet arrives to port 6900 UDP of firewall, > mark it with 0x99, and when the response packet arrives again from DMZ > interface of the firewall, are marked again with 0x99. You can get some information a connmark on the following page : http://home.regit.org/?page_id=7 Basically, what you want to add to your ruleset is : iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark First one restore mark when packet arrive (It put connection mark to the pt mark.. Second one save packet mark to connection mark to be able to restore it later (with --restore-mark). BR, -- Eric Leblond INL: http://www.inl.fr/ NuFW: http://www.nufw.org/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
