On 4/6/11 10:30 AM, Tom Eastep wrote: > On 4/6/11 2:46 AM, lanas wrote: >> On Tue, 05 Apr 2011 16:39:05 -0700, >> Tom Eastep <[email protected]> wrote : >> >>> On 4/5/11 4:09 PM, lanas wrote: >>> >>>> >>>> tcrules >> >>> #MARK SOURCE DEST PROTO DEST SOURCE >>> 2 0.0.0.0/0 192.168.2.2 tcp - 80 >>> 3 0.0.0.0/0 192.168.2.2 tcp - 3000 >> >>> You are marking in the PREROUTING chain; from the generated Netfilter >>> rules, I can see that MARK_IN_FORWARD_CHAIN=No in shorewall.conf. You >>> must mark in the FORWARD or POSTROUTING chain because marks set in >>> PREROUTING are cleared after routing occurs. >> >> Thanks. At the moment I have no idea how to specifically mark at any >> point in the processing chains, but I'll look it up in the complex TC >> Shorewall info page. I think it has to do with adding a >> certain :<flag> after the mark. > > Easiest way is to set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
Also, to obtain the 4.0 Shorewall-shell behavior, you can set FORWARD_CLEAR_MARK=No in shorewall.conf. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
