Matt Harrison wrote: > Hi all, > > I'm a long time user of iptables but recently decided to move to try out > shorewall and after a bit of trial and error I'm getting on ok with it. > > I am trying to implement traffic shaping with TC and I'm having problems > marking the packets to go into the right queues. > > My classes are very basic at the moment, 1 is for high priority real-time > traffic (ssh), 2 is for http bulk traffic, and 10 is everything else. > > I'm trying to use a rule to mark everything going from internal to external > port 22 with 1: > > 1:11 0.0.0.0/0 0.0.0.0/0 tcp 22 > CONTINUE 0.0.0.0/0 0.0.0.0/0 tcp 22 > > I've also tried with 1 instead of 1:11 and I've tried without CONTINUEs. > Unfortunately, everything get dropped down to the 10 queue. > > Can anyone supply me with a clue how to mark my packets for ssh, http and > everything else as final resort? > > I would really appreciate some pointers with this.
When marking rules don't work as expected, it is usually the result of failing to take into account which direction the packets are flowing relative to which way the connections were originally made. Your rules above will only mark outgoing packets from connections that originate behind the firewall. Outgoing packets from connections that originate on the net and connect to SSH servers behind the firewall will have SOURCE PORT == 22 rather than DEST PORT == 22. If that is not the problem in your case, please submit the output of 'shorewall dump' collected as described at http://www.shorewall.net/support.htm#Guidelines. Thanks ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
