From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on sa.int.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.2.3 From: Vyatcheslav Perevalov Organization: =?windows-1251?b?yO3m5e3l8CDv7iDt4Ovg5OrlIPHo8fLl7CDq7u3y8O7r/yDo?= =?windows-1251?b?IPPv8ODi6+Xt6P8g0NXH?= =?windows-1251?b?INHVyg==?= To: ALT Linux sysadmin discuss Date: Wed, 28 May 2008 23:51:21 +0700 User-Agent: KMail/1.9.9 References: <200805261736.20887.vip0@seversk.ru> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200805282351.21680.vip0@seversk.ru> Subject: Re: [Sysadmins] iptables -j MARK X-BeenThere: sysadmins@lists.altlinux.org X-Mailman-Version: 2.1.10b3 Precedence: list Reply-To: ALT Linux sysadmin discuss List-Id: ALT Linux sysadmin discuss List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2008 16:51:36 -0000 Archived-At: List-Archive: =F7 =D3=CF=CF=C2=DD=C5=CE=C9=C9 =CF=D4 28 =CD=C1=D1 2008 Andrew Kornilov = =CE=C1=D0=C9=D3=C1=CC(a): > =F7=CF, =CF=D4=CC=C9=DE=CE=CF. =ED=CF=D6=C5=DB=D8 =D0=CF=D0=D2=CF=C2=CF= =D7=C1=D4=D8 =C4=CF=C2=C1=D7=C9=D4=D8 =C4=D7=C1 =D0=D2=C1=D7=C9=CC=C1. =FE= =D4=CF-=D4=CF =D7=D2=CF=C4=C5: > iptables -A OUTPUT -t mangle -p tcp --dport 123:567 -j MARK --set-mark > 123 iptables -A OUTPUT -t mangle -p tcp --dport 256:890 -j MARK > --set-mark 123 =E9 =D0=CF=D4=CF=CD =D3=C4=C5=CC=C1=D4=D8 telnet =CC=C0=C2= =CF=CA=C8=CF=D3=D4 345 > > =F3=CD=D9=D3=CC =D7 =D4=CF=CD, =DE=D4=CF=C2=D9 =D3=C4=C5=CC=C1=D4=D8 teln= et =CE=C1 =D0=CF=D2=D4, =CB=CF=D4=CF=D2=D9=CA =D0=CF=D0=C1=C4=C1=C5=D4 =D7 = =D5=D3=CC=CF=D7=C9=D1 > =CF=C2=CF=C9=C8 =D0=D2=C1=D7=C9=CC. =F0=CF=D3=CC=C5 =DC=D4=CF=C7=CF =D0= =CF=D3=CD=CF=D4=D2=C9 iptables -L -n -v -t mangle, > =D5=D7=C5=CC=C9=DE=C9=CC=C9=D3=D8 =CF=C2=C1 =D3=DE=C5=D4=DE=C9=CB=C1 =C9= =CC=C9 =D4=CF=CC=D8=CB=CF =D0=C5=D2=D7=D9=CA? [root@vipnet sysconfig]# cat /etc/sysconfig/iptables|grep mangle *mangle [root@vipnet sysconfig]# cat /etc/sysconfig/iptables|grep MARK =2DA OUTPUT -p tcp --dport 123:567 -j MARK --set-mark 123 =2DA OUTPUT -p tcp --dport 256:890 -j MARK --set-mark 123 [vip@vipnet vip]$ telnet seversk.ru 345 Trying 88.204.48.130... telnet: connect to address 88.204.48.130: Connection refused [root@vipnet sysconfig]# iptables -L -n -v -t mangle Chain PREROUTING (policy ACCEPT 1457 packets, 245K bytes) pkts bytes target prot opt in out source =20 destination Chain INPUT (policy ACCEPT 3063K packets, 1056M bytes) pkts bytes target prot opt in out source =20 destination Chain FORWARD (policy ACCEPT 42M packets, 36G bytes) pkts bytes target prot opt in out source =20 destination Chain OUTPUT (policy ACCEPT 373 packets, 40440 bytes) pkts bytes target prot opt in out source =20 destination 1 52 MARK tcp -- * * 0.0.0.0/0 =20 0.0.0.0/0 tcp dpts:123:567 MARK set 0x7b 1 52 MARK tcp -- * * 0.0.0.0/0 =20 0.0.0.0/0 tcp dpts:256:890 MARK set 0x7b Chain POSTROUTING (policy ACCEPT 42M packets, 36G bytes) pkts bytes target prot opt in out source =20 destination =2D-=20 =F7=D3=C5=C7=CF =C8=CF=D2=CF=DB=C5=C7=CF /vip