iptables -t mangle -A OUTPUT -d 10.190.6.16 -j MARK --set-mark 20 iptables -t mangle -A OUTPUT -d 10.190.6.16 -j RETURN
tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11
I expect data from ssh server to my client 10.190.6.16 should goes into 1:11, and other data goes into default 1:13. But when I use ssh client on other machine(not 10.190.6.16), the data seems also goes into 1:11(I got this from tc -s -d class show dev eth0). Why?
Because you didn't flush the mangle table. Your example works ok for me. Add a iptables -t mangle -F before running the script.
"Catalin(ux aka Dino) BOIE" <[EMAIL PROTECTED]> wrote: On Thu, 27 Jan 2005, CcM wrote:
Now I want to control ports with ips specified, like following, it seems not work, only --sport effect. Ftp-data goes to ips beside 10.190.6.16 also goes into 1:12 while default is 1:13. Why?
tc qdisc add dev eth0 root handle 1: htb default 13 tc class add dev eth0 parent 1: classid 1:1 htb rate 80000kbit ceil 80000kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:11 htb rate 40kbit ceil 40kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:13 htb rate 70000kbit ceil 80000kbit prio 1 tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5 tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5 tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK --set-mark 20 iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j RETURN
iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j MARK --set-mark 21 iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j RETURN
I bet you use passive mode in ftp so you get a weird port, not ftp-data (20). ftp is tricky to match. You can use this: iptables -t mangle -A POSTROUTING -d x.x.x.x -m helper --helper ftp \ -j MARK --set-mark 21 This will mark with 21 all ftp control+data connections.
tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11 tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 21 fw flowid 1:12
"Catalin(ux aka Dino) BOIE" wrote: On Wed, 26 Jan 2005, CcM wrote:
It does work! Thanks! But many articles write like what I did, what's the difference between POSTROUTING and PREROUTING. I mean I know these are two hook point in ip stack, but why should be POSTROUTING here when do mangle?
"Catalin(ux aka Dino) BOIE" wrote: Use: iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \ --set-mark 20
Because local generated packets doesn't go through PREROUTING. But, best is to use OUTPUT.
--- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ _______________________________________________ LARTC mailing list / [email protected] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
--------------------------------- Do You Yahoo!? ע������һ��Ʒ�ʵ��Ż���ѵ���
--- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/
--------------------------------- Do You Yahoo!? ע������һ��Ʒ�ʵ��Ż���ѵ���
--- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/
--------------------------------- Do You Yahoo!? ע������һ��Ʒ�ʵ��Ż���ѵ���
--- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/
