On Wed, Oct 15, 2008 at 9:51 AM, Eric Leblond <eric@xxxxxx> wrote: > On Wednesday, 2008 October 15 at 9:49:01 +0200, okahei@xxxxxxxxx wrote: >> On Mon, Oct 13, 2008 at 5:10 PM, Eric Leblond <eric@xxxxxx> wrote: >> > Hi, >> > >> > On Sunday, 2008 October 12 at 19:12:58 +0200, okahei@xxxxxxxxx wrote: >> >> Hello list. >> >> >> >> I've got a question with CONNMARK target. >> >> >> >> It's possible to mark whole connection playing with this parameter ? >> >> >> >> What i want is when a packet arrives to port 6900 UDP of firewall, >> >> mark it with 0x99, and when the response packet arrives again from DMZ >> >> interface of the firewall, are marked again with 0x99. >> > >> > You can get some information a connmark on the following page : >> > http://home.regit.org/?page_id=7 >> > >> > Basically, what you want to add to your ruleset is : >> > iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark >> > iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark >> > >> > First one restore mark when packet arrive (It put connection mark to the >> > pt mark.. Second one save packet mark to connection mark to be able >> > to restore it later (with --restore-mark). >> > >> > BR, >> > -- >> > Eric Leblond >> > INL: http://www.inl.fr/ >> > NuFW: http://www.nufw.org/ >> > >> >> Hello List. >> >> I'm in doubt with the /proc/net/ip_conntrack file, becouse i am >> marking packets with 0x87 > > 0x87 is in hexadecimal, this is equal to 135 in decimal ;) > > Don't use '0x' prefix if you want to use decimal integer. > > BR, > -- > Eric Leblond > INL: http://www.inl.fr/ > NuFW: http://www.nufw.org/ > Thanks for quick reply Regards. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
