On Wednesday, 2008 October 15 at 9:49:01 +0200, okahei@xxxxxxxxx wrote: > On Mon, Oct 13, 2008 at 5:10 PM, Eric Leblond <eric@xxxxxx> wrote: > > Hi, > > > > On Sunday, 2008 October 12 at 19:12:58 +0200, okahei@xxxxxxxxx wrote: > >> Hello list. > >> > >> I've got a question with CONNMARK target. > >> > >> It's possible to mark whole connection playing with this parameter ? > >> > >> What i want is when a packet arrives to port 6900 UDP of firewall, > >> mark it with 0x99, and when the response packet arrives again from DMZ > >> interface of the firewall, are marked again with 0x99. > > > > You can get some information a connmark on the following page : > > http://home.regit.org/?page_id=7 > > > > Basically, what you want to add to your ruleset is : > > iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark > > iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark > > > > First one restore mark when packet arrive (It put connection mark to the > > pt mark.. Second one save packet mark to connection mark to be able > > to restore it later (with --restore-mark). > > > > BR, > > -- > > Eric Leblond > > INL: http://www.inl.fr/ > > NuFW: http://www.nufw.org/ > > > > Hello List. > > I'm in doubt with the /proc/net/ip_conntrack file, becouse i am > marking packets with 0x87 0x87 is in hexadecimal, this is equal to 135 in decimal ;) Don't use '0x' prefix if you want to use decimal integer. BR, -- Eric Leblond INL: http://www.inl.fr/ NuFW: http://www.nufw.org/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
