/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Barton Hodges wrote: > Hi Folks, > > I'm using a 2.4.x kernel and TC from the iproute2 package > so that I can limit traffic through my gateway. I'm using this > to mark packets when they leave the LAN: > > /sbin/ipchains -A forward -j MASQ -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 > -m 1 > > When the packets return, I need to have them marked again so that > the ingress filter will limit the bandwidth in the opposite direction. > > The only way I have found to do this, is to mark EVERY packet like this: > > /sbin/ipchains -A input -i eth0 -s 0.0.0.0/0 -d 12.10.109.52/32 -m 1 > > This works, but what I would really like to do, is mark the > 192.168.1.0/24 packets instead (after they have been "un-masq'ed", > so that I can limit bandwidth on each interface in the gateway box. > > Is this possible? > > Thanks, > > Barton if you use iptables, it's easy. your rules will see the demasqueraded destination addresses and you can just mark those. since you're using ipchains, you must have the ipchains backwards compatibility module so i imagine masqueraded packets are still using exclusively using the port range 61000:65096. check if this is the case. if you, can just fwmark the incoming packets within that destination port range. btw, i thought you couldn't control incoming traffic because you can't control when the packets arrive, you can only shape outgoing traffic. is this not true? raf _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
