From: Askar <askarali@gmail.com>
To: netfilter <netfilter@lists.netfilter.org>
Subject: Re: MARKing question
Date: Tue, 1 Feb 2005 10:18:40 +0500 [thread overview]
Message-ID: <a0f69e505013121185a3133fd@mail.gmail.com> (raw)
In-Reply-To: <20050131162531.GA24980@bender.817west.com>
On Mon, 31 Jan 2005 11:25:31 -0500, Jason Opperisano <opie@817west.com> wrote:
> On Mon, Jan 31, 2005 at 03:29:32PM +0500, Askar wrote:
> > hi list,
> >
> > I'm MARKing packets in PREROUTING of mangle with the below rule to
> > route them from other route then the default route .(iproute2 +
> > iptables)
> >
> > $iptables -A PREROUTING -i eth0 -t mangle -s 202.xxx.xxx.0/24 -d 0/0
> > -p tcp --dport 80 -j MARK --set-mark 4
> >
> > What I want is to exclude a single IP from the above to be MARKed, i-e
> > the particular IP packets goes through default route of the firewall
> > machine not through iproute2 route.
> >
> > Is this possible with iptables or I have to apply pom (extentions) to
> > accomplished this?
>
> two thoughts: 1) ACCEPT the packet from the "excluded IP" prior to the
> mark rule or 2) reset the MARK on packets from the "excluded IP" after
> the mark rule.
>
> version 1:
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -s $EXCLUDED_IP \
> --dport 80 -j ACCEPT
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 202.xxx.xxx.0/24 \
> --dport 80 -j MARK --set-mark 4
Thanks jason, i go with version 2 and it worked
>
> version 2:
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 202.xxx.xxx.0/24 \
> --dport 80 -j MARK --set-mark 4
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -s $EXCLUDED_IP \
> --dport 80 -j MARK --set-mark 0
>
> version 1 gets packets from $EXCLUDED_IP out of the mangle PREROUTING
> chain as quickly as possible.
>
> version 2 allows packets from $EXCLUDED_IP to continue to traverse
> mangle PREROUTING in case you want to do other stuff to it.
>
> which one is "better" would depend on your specific situation.
>
> -j
>
> --
> "I saw this in a movie about a bus that had to SPEED around a city,
> keeping its SPEED over fifty, and if its SPEED dropped, it would
> explode. I think it was called, 'The Bus That Couldn't Slow Down.'"
> --The Simpsons
>
>
--
(after bouncing head on desk for days trying to get mine working, I'll make
your life a little easier)
prev parent reply other threads:[~2005-02-01 5:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-31 10:29 MARKing question Askar
2005-01-31 16:25 ` Jason Opperisano
2005-02-01 5:18 ` Askar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a0f69e505013121185a3133fd@mail.gmail.com \
--to=askarali@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox