From mboxrd@z Thu Jan 1 00:00:00 1970 From: ph4ke Date: Thu, 06 Nov 2003 08:29:54 +0000 Subject: [LARTC] Finally got FWMARK to work Message-Id: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Hi List,=20 Only signed up recently and posted the problem that we had with FWMARK.=20 Got it solved, so if anyone has the same problem, maybe this could help :=20 The problem with the (redhat) 2.4.20 kernel was that when doing ethernet=20 bridging, packets seemed to bypass iptables rules, thus no marking occurs. = Apparently there is a patch available to allow firewalling on the bridge bu= t I didn't bother to=20 use it. Funny thing is that the kernel that comes with RH 7.3 actually does= let bridged packets=20 be filtered by iptables .=20 We finally opted for the 2.6.0-test1 kernel and everything is working fine = now. Iptables=20 is marking the bridged packets, and tc is queuing them as the filters dicta= te. =20 Just thought I'd share that.=20 For limiting the ftp-outgoing involved a little of iptables sorcery.=20 See, the problem is that we want to limit outgoing ftp to a particular ip r= ange, but the=20 ftp server actually sits on a webserver as well.=20 So i tried these rules to mark the packets, looks like its working fine. If= there is a better way=20 to accomplish this, please let me know, cause I'm sure this isn't the best = way :=20 target prot opt source destination MARK tcp -- 100.200.100.10 xxx.xxx.xxx.xxx state RELATED= ,ESTABLISHED MARK set 0x1 ## ftp marking rule MARK tcp -- anywhere anywhere tcp spt:htt= p MARK set 0xa=09 MARK udp -- anywhere anywhere udp spt:http= MARK set 0xa 0x1 goes to the htb class where we limit the traffic=20 0xa just goes to an htb class with a sfq qdisc attached to it=20 Everthing else also goes to the sfq by default=20 So this works fine. FTP downloads from the limited range are limited nicely= , and uploads of "new" files=20 from that range is fast, just like it should be.=20 The only thing is that when you upload from the range and overwrite files o= n the ftp server, it gets limited=20 just like if you where doing a download. This is extremely odd to me and if= anyone has any=20 ideas of why this might happen please give me a shout.=20 Regards,=20 Cilli=E8 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/