From: Askar <askarali@gmail.com>
To: netfilter <netfilter@lists.netfilter.org>
Subject: Re: MARKing question
Date: Tue, 1 Feb 2005 10:18:40 +0500 [thread overview]
Message-ID: <a0f69e505013121185a3133fd@mail.gmail.com> (raw)
In-Reply-To: <20050131162531.GA24980@bender.817west.com>
On Mon, 31 Jan 2005 11:25:31 -0500, Jason Opperisano <opie@817west.com> wrote:
> On Mon, Jan 31, 2005 at 03:29:32PM +0500, Askar wrote:
> > hi list,
> >
> > I'm MARKing packets in PREROUTING of mangle with the below rule to
> > route them from other route then the default route .(iproute2 +
> > iptables)
> >
> > $iptables -A PREROUTING -i eth0 -t mangle -s 202.xxx.xxx.0/24 -d 0/0
> > -p tcp --dport 80 -j MARK --set-mark 4
> >
> > What I want is to exclude a single IP from the above to be MARKed, i-e
> > the particular IP packets goes through default route of the firewall
> > machine not through iproute2 route.
> >
> > Is this possible with iptables or I have to apply pom (extentions) to
> > accomplished this?
>
> two thoughts: 1) ACCEPT the packet from the "excluded IP" prior to the
> mark rule or 2) reset the MARK on packets from the "excluded IP" after
> the mark rule.
>
> version 1:
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -s $EXCLUDED_IP \
> --dport 80 -j ACCEPT
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 202.xxx.xxx.0/24 \
> --dport 80 -j MARK --set-mark 4
Thanks jason, i go with version 2 and it worked
>
> version 2:
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 202.xxx.xxx.0/24 \
> --dport 80 -j MARK --set-mark 4
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -s $EXCLUDED_IP \
> --dport 80 -j MARK --set-mark 0
>
> version 1 gets packets from $EXCLUDED_IP out of the mangle PREROUTING
> chain as quickly as possible.
>
> version 2 allows packets from $EXCLUDED_IP to continue to traverse
> mangle PREROUTING in case you want to do other stuff to it.
>
> which one is "better" would depend on your specific situation.
>
> -j
>
> --
> "I saw this in a movie about a bus that had to SPEED around a city,
> keeping its SPEED over fifty, and if its SPEED dropped, it would
> explode. I think it was called, 'The Bus That Couldn't Slow Down.'"
> --The Simpsons
>
>
--
(after bouncing head on desk for days trying to get mine working, I'll make
your life a little easier)
prev parent reply other threads:[~2005-02-01 5:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-31 10:29 MARKing question Askar
2005-01-31 16:25 ` Jason Opperisano
2005-02-01 5:18 ` Askar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a0f69e505013121185a3133fd@mail.gmail.com \
--to=askarali@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.