From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Watson <David.Watson@team17.com>
Date: Tue, 25 Mar 2003 12:42:07 +0000
Subject: [LARTC] Matching ftp - example
Message-Id: <marc-lartc-104859622530021@msgid-missing>
List-Id: <lartc.vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org


	After taking a look at the information available on this I was a little 
confused, I'm posting my working configuration with a little bit of 
explanation, it avoids use of restore mark which was causing me trouble as 
I am using marking for QoS and routing control.

I hope this is helpfull.

In my set up I have an FTP proxy on my firewall and I wanted to catch 
downloaded ftp traffic for Qos.

# Location of iptables

$IPTABLES=/sbin/iptables

# Device facing the internet

$EXTDEV=eth1

# uid of user that proxy runs as

$FTP_PROXY = 500

# All networks that are not local

$EXTERNAL = ! 192.168.0.0/16

# Marks for outgoing and incoming ftp proxy traffic

$FTP_PROXY_TO_INTERNET=0x20
$INTERNET_TO_FTP_PROXY=0x21

# Firstly I mark traffic from my proxy to the internet

$IPTABLES -t mangle -A OUTPUT -o $EXTDEV -m owner --uid-owner $FTP_PROXY -d 
$EXTERNAL -j MARK --set-mark $FTP_PROXY_TO_INTERNET
$IPTABLES -t mangle -A OUTPUT -o $EXTDEV -p TCP -d $EXTERNAL --dport 21 -j 
MARK --set-mark $FTP_PROXY_TO_INTERNET

# Next I save the iptables mark to the connection tracking mark, but only 
if the iptables mark is ftp proxy to internet

$IPTABLES -t mangle -A POSTROUTING -o $EXTDEV -m mark --mark 
$FTP_PROXY_TO_INTERNET -j CONNMARK --save-mark

# Now we look for the connmark on incoming traffic and manually mark it as 
incoming with the iptables mark,
# restoring the mark would give the same mark for outgoing and incoming, 
but that might not be a problem for you.

$IPTABLES -t mangle -A PREROUTING -i $EXTDEV -m connmark --mark 
$FTP_PROXY_TO_INERNET -j MARK --set-mark $INTERNET_TO_FTP_PROXY



_____________________________________________________________
David Watson, Network Manager, Team17 Software Ltd.
Phone: +44-1924-267776			Fax: +44-1924-267658
_____________________________________________________________

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/