* MARKing question
@ 2005-01-31 10:29 Askar
2005-01-31 16:25 ` Jason Opperisano
0 siblings, 1 reply; 3+ messages in thread
From: Askar @ 2005-01-31 10:29 UTC (permalink / raw)
To: netfilter
hi list,
I'm MARKing packets in PREROUTING of mangle with the below rule to
route them from other route then the default route .(iproute2 +
iptables)
$iptables -A PREROUTING -i eth0 -t mangle -s 202.xxx.xxx.0/24 -d 0/0
-p tcp --dport 80 -j MARK --set-mark 4
What I want is to exclude a single IP from the above to be MARKed, i-e
the particular IP packets goes through default route of the firewall
machine not through iproute2 route.
Is this possible with iptables or I have to apply pom (extentions) to
accomplished this?
regards
Askar
(after bouncing head on desk for days trying to get mine working, I'll make
your life a little easier)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: MARKing question
2005-01-31 10:29 MARKing question Askar
@ 2005-01-31 16:25 ` Jason Opperisano
2005-02-01 5:18 ` Askar
0 siblings, 1 reply; 3+ messages in thread
From: Jason Opperisano @ 2005-01-31 16:25 UTC (permalink / raw)
To: netfilter
On Mon, Jan 31, 2005 at 03:29:32PM +0500, Askar wrote:
> hi list,
>
> I'm MARKing packets in PREROUTING of mangle with the below rule to
> route them from other route then the default route .(iproute2 +
> iptables)
>
> $iptables -A PREROUTING -i eth0 -t mangle -s 202.xxx.xxx.0/24 -d 0/0
> -p tcp --dport 80 -j MARK --set-mark 4
>
> What I want is to exclude a single IP from the above to be MARKed, i-e
> the particular IP packets goes through default route of the firewall
> machine not through iproute2 route.
>
> Is this possible with iptables or I have to apply pom (extentions) to
> accomplished this?
two thoughts: 1) ACCEPT the packet from the "excluded IP" prior to the
mark rule or 2) reset the MARK on packets from the "excluded IP" after
the mark rule.
version 1:
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s $EXCLUDED_IP \
--dport 80 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 202.xxx.xxx.0/24 \
--dport 80 -j MARK --set-mark 4
version 2:
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 202.xxx.xxx.0/24 \
--dport 80 -j MARK --set-mark 4
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s $EXCLUDED_IP \
--dport 80 -j MARK --set-mark 0
version 1 gets packets from $EXCLUDED_IP out of the mangle PREROUTING
chain as quickly as possible.
version 2 allows packets from $EXCLUDED_IP to continue to traverse
mangle PREROUTING in case you want to do other stuff to it.
which one is "better" would depend on your specific situation.
-j
--
"I saw this in a movie about a bus that had to SPEED around a city,
keeping its SPEED over fifty, and if its SPEED dropped, it would
explode. I think it was called, 'The Bus That Couldn't Slow Down.'"
--The Simpsons
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: MARKing question
2005-01-31 16:25 ` Jason Opperisano
@ 2005-02-01 5:18 ` Askar
0 siblings, 0 replies; 3+ messages in thread
From: Askar @ 2005-02-01 5:18 UTC (permalink / raw)
To: netfilter
On Mon, 31 Jan 2005 11:25:31 -0500, Jason Opperisano <opie@817west.com> wrote:
> On Mon, Jan 31, 2005 at 03:29:32PM +0500, Askar wrote:
> > hi list,
> >
> > I'm MARKing packets in PREROUTING of mangle with the below rule to
> > route them from other route then the default route .(iproute2 +
> > iptables)
> >
> > $iptables -A PREROUTING -i eth0 -t mangle -s 202.xxx.xxx.0/24 -d 0/0
> > -p tcp --dport 80 -j MARK --set-mark 4
> >
> > What I want is to exclude a single IP from the above to be MARKed, i-e
> > the particular IP packets goes through default route of the firewall
> > machine not through iproute2 route.
> >
> > Is this possible with iptables or I have to apply pom (extentions) to
> > accomplished this?
>
> two thoughts: 1) ACCEPT the packet from the "excluded IP" prior to the
> mark rule or 2) reset the MARK on packets from the "excluded IP" after
> the mark rule.
>
> version 1:
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -s $EXCLUDED_IP \
> --dport 80 -j ACCEPT
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 202.xxx.xxx.0/24 \
> --dport 80 -j MARK --set-mark 4
Thanks jason, i go with version 2 and it worked
>
> version 2:
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 202.xxx.xxx.0/24 \
> --dport 80 -j MARK --set-mark 4
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -s $EXCLUDED_IP \
> --dport 80 -j MARK --set-mark 0
>
> version 1 gets packets from $EXCLUDED_IP out of the mangle PREROUTING
> chain as quickly as possible.
>
> version 2 allows packets from $EXCLUDED_IP to continue to traverse
> mangle PREROUTING in case you want to do other stuff to it.
>
> which one is "better" would depend on your specific situation.
>
> -j
>
> --
> "I saw this in a movie about a bus that had to SPEED around a city,
> keeping its SPEED over fifty, and if its SPEED dropped, it would
> explode. I think it was called, 'The Bus That Couldn't Slow Down.'"
> --The Simpsons
>
>
--
(after bouncing head on desk for days trying to get mine working, I'll make
your life a little easier)
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-02-01 5:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-31 10:29 MARKing question Askar
2005-01-31 16:25 ` Jason Opperisano
2005-02-01 5:18 ` Askar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.