All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Matching ftp - example
@ 2003-03-25 12:42 David Watson
  0 siblings, 0 replies; only message in thread
From: David Watson @ 2003-03-25 12:42 UTC (permalink / raw)
  To: lartc


	After taking a look at the information available on this I was a little 
confused, I'm posting my working configuration with a little bit of 
explanation, it avoids use of restore mark which was causing me trouble as 
I am using marking for QoS and routing control.

I hope this is helpfull.

In my set up I have an FTP proxy on my firewall and I wanted to catch 
downloaded ftp traffic for Qos.

# Location of iptables

$IPTABLES=/sbin/iptables

# Device facing the internet

$EXTDEV=eth1

# uid of user that proxy runs as

$FTP_PROXY = 500

# All networks that are not local

$EXTERNAL = ! 192.168.0.0/16

# Marks for outgoing and incoming ftp proxy traffic

$FTP_PROXY_TO_INTERNET=0x20
$INTERNET_TO_FTP_PROXY=0x21

# Firstly I mark traffic from my proxy to the internet

$IPTABLES -t mangle -A OUTPUT -o $EXTDEV -m owner --uid-owner $FTP_PROXY -d 
$EXTERNAL -j MARK --set-mark $FTP_PROXY_TO_INTERNET
$IPTABLES -t mangle -A OUTPUT -o $EXTDEV -p TCP -d $EXTERNAL --dport 21 -j 
MARK --set-mark $FTP_PROXY_TO_INTERNET

# Next I save the iptables mark to the connection tracking mark, but only 
if the iptables mark is ftp proxy to internet

$IPTABLES -t mangle -A POSTROUTING -o $EXTDEV -m mark --mark 
$FTP_PROXY_TO_INTERNET -j CONNMARK --save-mark

# Now we look for the connmark on incoming traffic and manually mark it as 
incoming with the iptables mark,
# restoring the mark would give the same mark for outgoing and incoming, 
but that might not be a problem for you.

$IPTABLES -t mangle -A PREROUTING -i $EXTDEV -m connmark --mark 
$FTP_PROXY_TO_INERNET -j MARK --set-mark $INTERNET_TO_FTP_PROXY



_____________________________________________________________
David Watson, Network Manager, Team17 Software Ltd.
Phone: +44-1924-267776			Fax: +44-1924-267658
_____________________________________________________________

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2003-03-25 12:42 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-03-25 12:42 [LARTC] Matching ftp - example David Watson

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.