Re: iptables dnat, ebtables, mark

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Jason Opperisano wrote:
On Wed, Nov 10, 2004 at 04:42:46PM +0100, Moritz Gartenmeister wrote:


is the first role in the mangle chain.
iptables -t mangle -A PREROUTING -m mark --mark 0x8 -j ACCEPT


are you filtering packets in MANGLE?

yes i do, but i don't drop packets, except malformed packets (like: if the packet is coming from inside, then it must have an ip from the private net 172.17.0.0/16, else drop).


and i use mark to classify packets:
mark 2 for all p2p-packets
mark 3 for all http-packets
and so on... (none with 8)

this marks are used later for tc.


one check rule in mangl POSTROUTING
iptables -t mangle -A POSTROUTING -m -mark --makr 0x8 -j LOG --log-prefix IPT_MARK


are you getting logs out of this rule?  if so--do the src/dst IP's look
like they should?

yes they do. but i think, that not all packets are dnatted, although they are correctly marked.

my observation:
number of packets differ...
ebtables 213 packets
prerouting mangle 200 packets

this numbers should be the same, because there is no rule between.

prerouting nat 118 packets
postrouting mangle 93 packets

any explanations? the number should be at least the same. i don't understand this. the filter-rules
seem to work properly...


i think you need to describe the relative locations of the client,
bridge, and web server.

users -- filter-server -- switch -- gw | | webserver



it sounds like it could be a routing problem.

hm... this is the only connection, which is routed. the rest of the traffic is just marked and shaped with tc.


moritz
--
Uplink student association
Moritz Gartenmeister
Bülachstrasse 1 F
8057 Zürich
Switzerland



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux