wilu
n00b
Joined: 13 Apr 2006
Posts: 4
Location: Cracow (PL)
|
 Posted: Sun Nov 11, 2007 4:55 pm Post subject: Marking packets (ipp2p) |
 |
|
I need to perform a simple packet filtering - obviously against p2p...
So, the most elementary packets classification - p2p ant not p2p.
I've read ipp2p doc and there's an example, that nearly satisfies my needs. | Code: | 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1
04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark |
So, iptables marks all known p2p packets. What about the rest of packets (not p2p)? I'd like to mark them too in order to perform some shaping afterwards. I've tried the simplest extension of above mentioned code, meaning | Code: | 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -j MARK --set-mark 2
04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark |
I expected that the packets which do not satisfy rule 3 will be marked in accordance with next rule, that doesn't impose any requirement.
The problem is, there are no differences in both two - indeed, p2p connections get appropriate mark, but all the other connections remain unchanged (mark=0).
I doubt if it makes any difference, but I'm trying to mark packets in a FORWARD chain (mangle table of course).
Suggestions? |
|
Networking & Security
