Near the end of section 15.10, the following commands are shown for prioritizing SYN packets: iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN Shouldn''t the "-I" option really be "-A"? Like so: iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN Won''t using "-I" cause these entries to be inserted at the top of the chain, putting the RETURN before the MARK is set? Maybe I''m missing something.
Sean Dwyer
2005-Oct-07 17:42 UTC
Re: Error in "15.10 Example of full nat solution with QoS"?
On Wednesday 05 October 2005 18:30, Sean Dwyer wrote:> Near the end of section 15.10, the following commands are shown for prioritizing SYN packets: > > iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 > iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN > > Shouldn''t the "-I" option really be "-A"? Like so: > > iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 > iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN > > Won''t using "-I" cause these entries to be inserted at the top of the chain, putting the RETURN > before the MARK is set? Maybe I''m missing something.Does anybody who maintains lartc.org read this mailing list?
Andy Furniss
2005-Oct-09 01:02 UTC
Re: Error in "15.10 Example of full nat solution with QoS"?
Sean Dwyer wrote:> On Wednesday 05 October 2005 18:30, Sean Dwyer wrote: > >>Near the end of section 15.10, the following commands are shown for prioritizing SYN packets: >> >> iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 >> iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN >> >>Shouldn''t the "-I" option really be "-A"? Like so: >> >> iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 >> iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN >> >>Won''t using "-I" cause these entries to be inserted at the top of the chain, putting the RETURN >>before the MARK is set? Maybe I''m missing something. > > > Does anybody who maintains lartc.org read this mailing list?I doubt if Bert reads every or maybe any post - I agree about the -I being wrong. The LARTC hasn''t been changed for a while but will be someday I guess. There is going to be a wiki soon - there is already a new one for Linux-net http://linux-net.osdl.org/ . Andy.
Maybe Matching Threads
- need help on multiple isp routing
- samba with iptables
- Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?
- Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?
- Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?