[LARTC] Marks not working...

Andrew Beverley andy at andybev.com
Tue Feb 6 21:08:27 CET 2007 

Are you using your firewall as a router, ie is the p2p traffic coming
from another PC through the firewall?

If so, I think your rules need to go in the FORWARD chain not in the
OUTPUT chain.

Another thing to remember is that ipp2p is not 100% reliable at
matching. Have you tried something simpler first such as matching on
source address?

Andy Beverley


On Sat, 2007-02-03 at 01:44 +0000, tomdeb wrote:
> Hi,
> 
> I am experimenting a little bit with my firewall and I don't seem to get
> my head round marks ...
> 
> I try to mark p2p packets generated on the firewall in the output chain
> and then try to match that mark either in NAT OUTPUT or POSTROUTING
> 
> I don't seem to get the expected result. 
> 
> Any help or clue would be more than welcome.
> 
> 
> root at droopy:~/firewall > iptables-view -t mangle
> Chain PREROUTING (policy ACCEPT 33890 packets, 16M bytes) num   pkts bytes target     prot opt in     out     source destination
> 
> Chain INPUT (policy ACCEPT 24751 packets, 12M bytes) num   pkts bytes target     prot opt in     out     source destination
> 
> Chain FORWARD (policy ACCEPT 9146 packets, 4557K bytes) num   pkts bytes target     prot opt in     out     source destination
> 
> Chain OUTPUT (policy ACCEPT 59M packets, 61G bytes) num   pkts bytes target     prot opt in     out     source destination
> 1        3   324 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0           ipp2p v0.8.2 --ipp2p LOG flags 0 level 4 prefix ` OUT IPP2P '
> 2        3   324 MARK       0    --  *      *       0.0.0.0/0 0.0.0.0/0           ipp2p v0.8.2 --ipp2p MARK set 0x2
> 
> Chain POSTROUTING (policy ACCEPT 32911 packets, 7397K bytes) num   pkts bytes target     prot opt in     out     source destination
> root at droopy:~/firewall > iptables-view -t nat
> Chain PREROUTING (policy ACCEPT 973 packets, 62249 bytes) num   pkts bytes target     prot opt in     out     source destination
> 
> Chain POSTROUTING (policy ACCEPT 227 packets, 14178 bytes) num   pkts bytes target     prot opt in     out     source destination
> 1        0     0 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0           MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P '
> 
> Chain OUTPUT (policy ACCEPT 226 packets, 14172 bytes) num   pkts bytes target     prot opt in     out     source destination`
> 1        0     0 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0           MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P '
> 
> T o M
> 
> _______________________________________________
> LARTC mailing list
> LARTC at mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

More information about the LARTC mailing list