All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Marks not working...
@ 2007-02-03  1:44 tomdeb
  2007-02-06 20:08 ` Andrew Beverley
  0 siblings, 1 reply; 2+ messages in thread
From: tomdeb @ 2007-02-03  1:44 UTC (permalink / raw)
  To: lartc

Hi,

I am experimenting a little bit with my firewall and I don't seem to get
my head round marks ...

I try to mark p2p packets generated on the firewall in the output chain
and then try to match that mark either in NAT OUTPUT or POSTROUTING

I don't seem to get the expected result. 

Any help or clue would be more than welcome.


root@droopy:~/firewall > iptables-view -t mangle
Chain PREROUTING (policy ACCEPT 33890 packets, 16M bytes) num   pkts bytes target     prot opt in     out     source destination

Chain INPUT (policy ACCEPT 24751 packets, 12M bytes) num   pkts bytes target     prot opt in     out     source destination

Chain FORWARD (policy ACCEPT 9146 packets, 4557K bytes) num   pkts bytes target     prot opt in     out     source destination

Chain OUTPUT (policy ACCEPT 59M packets, 61G bytes) num   pkts bytes target     prot opt in     out     source destination
1        3   324 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0           ipp2p v0.8.2 --ipp2p LOG flags 0 level 4 prefix ` OUT IPP2P '
2        3   324 MARK       0    --  *      *       0.0.0.0/0 0.0.0.0/0           ipp2p v0.8.2 --ipp2p MARK set 0x2

Chain POSTROUTING (policy ACCEPT 32911 packets, 7397K bytes) num   pkts bytes target     prot opt in     out     source destination
root@droopy:~/firewall > iptables-view -t nat
Chain PREROUTING (policy ACCEPT 973 packets, 62249 bytes) num   pkts bytes target     prot opt in     out     source destination

Chain POSTROUTING (policy ACCEPT 227 packets, 14178 bytes) num   pkts bytes target     prot opt in     out     source destination
1        0     0 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0           MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P '

Chain OUTPUT (policy ACCEPT 226 packets, 14172 bytes) num   pkts bytes target     prot opt in     out     source destination`
1        0     0 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0           MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P '

T o M

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [LARTC] Marks not working...
  2007-02-03  1:44 [LARTC] Marks not working tomdeb
@ 2007-02-06 20:08 ` Andrew Beverley
  0 siblings, 0 replies; 2+ messages in thread
From: Andrew Beverley @ 2007-02-06 20:08 UTC (permalink / raw)
  To: lartc

Are you using your firewall as a router, ie is the p2p traffic coming
from another PC through the firewall?

If so, I think your rules need to go in the FORWARD chain not in the
OUTPUT chain.

Another thing to remember is that ipp2p is not 100% reliable at
matching. Have you tried something simpler first such as matching on
source address?

Andy Beverley


On Sat, 2007-02-03 at 01:44 +0000, tomdeb wrote:
> Hi,
> 
> I am experimenting a little bit with my firewall and I don't seem to get
> my head round marks ...
> 
> I try to mark p2p packets generated on the firewall in the output chain
> and then try to match that mark either in NAT OUTPUT or POSTROUTING
> 
> I don't seem to get the expected result. 
> 
> Any help or clue would be more than welcome.
> 
> 
> root@droopy:~/firewall > iptables-view -t mangle
> Chain PREROUTING (policy ACCEPT 33890 packets, 16M bytes) num   pkts bytes target     prot opt in     out     source destination
> 
> Chain INPUT (policy ACCEPT 24751 packets, 12M bytes) num   pkts bytes target     prot opt in     out     source destination
> 
> Chain FORWARD (policy ACCEPT 9146 packets, 4557K bytes) num   pkts bytes target     prot opt in     out     source destination
> 
> Chain OUTPUT (policy ACCEPT 59M packets, 61G bytes) num   pkts bytes target     prot opt in     out     source destination
> 1        3   324 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0           ipp2p v0.8.2 --ipp2p LOG flags 0 level 4 prefix ` OUT IPP2P '
> 2        3   324 MARK       0    --  *      *       0.0.0.0/0 0.0.0.0/0           ipp2p v0.8.2 --ipp2p MARK set 0x2
> 
> Chain POSTROUTING (policy ACCEPT 32911 packets, 7397K bytes) num   pkts bytes target     prot opt in     out     source destination
> root@droopy:~/firewall > iptables-view -t nat
> Chain PREROUTING (policy ACCEPT 973 packets, 62249 bytes) num   pkts bytes target     prot opt in     out     source destination
> 
> Chain POSTROUTING (policy ACCEPT 227 packets, 14178 bytes) num   pkts bytes target     prot opt in     out     source destination
> 1        0     0 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0           MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P '
> 
> Chain OUTPUT (policy ACCEPT 226 packets, 14172 bytes) num   pkts bytes target     prot opt in     out     source destination`
> 1        0     0 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0           MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P '
> 
> T o M
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-02-06 20:08 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-02-03  1:44 [LARTC] Marks not working tomdeb
2007-02-06 20:08 ` Andrew Beverley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.