ftp mark

ftp mark

[Krystian]

hi

i have a router/nating box with linux on it. can anybody tell me how to 
mark outgoing ftp active/passive connections ?

Krystian

RE: ftp mark

[Daniel Chemko]

Krystian wrote:
> hi
> 
> i have a router/nating box with linux on it. can anybody tell me how
> to mark outgoing ftp active/passive connections ?

If you mark a conntrack with the CONNMARK extension, the RELATED traffic
to that session are also marked. Otherwise, you have to make all RELATED
traffic with a single mark.

The best way to apply marks would be a sub-chain so that you can process
other operations after MARKING them. PS this is from memory so syntax
could be off a bit.

# Ingress marking (mostly for Ingress filters and Policy Routing)
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -d 0/0 --dport 21 -j MARK --set-mark
0x111
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark

# Egress marking (mostly for QOS operations)
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK
--set-mark 0x111
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark