search for: postrouting

...except HTTP, MAIL, ICQ, IRC, SSH and etc. ------------------------------------------------------------------------- #!/bin/bash TC=/sbin/tc IPTABLES=/usr/sbin/iptables $TC qdisc del dev eth0 root 2> /dev/null > /dev/null $TC qdisc del dev ppp0 root 2> /dev/null > /dev/null $IPTABLES -F POSTROUTING -t mangle $TC qdisc add dev eth0 root handle 1: htb default 50 r2q 2 $TC class add dev eth0 parent 1: classid 1:2 htb rate 248Kbit burst 35k $TC class add dev eth0 parent 1:2 classid 1:10 htb rate 220Kbit ceil 240Kbit burst 25k prio 0 $TC class add dev eth0 parent 1:2 classid 1:30 htb rate 28Kb...

...orates with htb (squid uses 3128) here is my script #!/bin/bash TC=/sbin/tc IPTABLES=/sbin/iptables $TC qdisc del dev eth0 root 2> /dev/null > /dev/null $TC qdisc del dev eth1 root 2> /dev/null > /dev/null $TC qdisc del dev eth1 ingress 2> /dev/null > /dev/null $IPTABLES -F POSTROUTING -t mangle $TC qdisc add dev eth0 root handle 1: htb default 50 r2q 2 $TC class add dev eth0 parent 1: classid 1:2 htb rate 248Kbit burst 35k $TC class add dev eth0 parent 1:2 classid 1:10 htb rate 220Kbit ceil 240Kbit burst 25k prio 0 $TC class add dev eth0 parent 1:2 classid 1:30 htb rate 28K...

...th1)-/ \- Local net2 (eth3) I think it can be done this way: iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0 iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0 But it would include traffic heading to the gateway directly, wouldn''t it? Can i put these rules to the POSTROUTING chain? And i can still have my CLASSIFY targets in the POSTROUTING chain, because IMQ queing will happen after it according to http://lartc.org/howto/lartc.imq.html. So for example: $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j CLASSIFY --set-class 1:30 $IPTABLES -t mangle -A POSTROUTING -o...

I saw this snippet from Daniel Chemko dchemko@smgtec.com Mon, 31 May 2004 09:30:43 -0700 # Egress marking (mostly for QOS operations) iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK --set-mark 0x111 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark I want to mark many packets, including FTP. So above these line...

...is my logs: Sep 6 09:47:14 elise kernel: [71970.564974] br1: port 2(vif1.1) entering disabled state Sep 6 09:47:14 elise kernel: [71970.578040] br1: port 2(vif1.1) entering disabled state Sep 6 09:47:14 elise kernel: [71970.718785] physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. Sep 6 09:47:14 elise kernel: [71970.718797] physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. Sep 6 09:47:14 elise kernel: [71970.718803] physdev match: usi...

...s=122 bytes=29381 src=89.139.122.12 dst=82.123.136.74 sport=443 dport=2361 packets=139 bytes=14120 [ASSURED] mark=2 use=1 This is quite odd since solution proposed at [1] looks good. I''ll cite it here for clarity (suppose I already have all ip rule stuff installed): iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1 iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark After giving a try...

..._CT_ACCT is deprecated and will be removed soon. Please use [ 50.457687] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or [ 50.457688] sysctl net.netfilter.nf_conntrack_acct=1 to enable it. [ 50.488368] physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. [ 50.499377] physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. [ 50.501009] physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chain...

...arent 2:2 handle 20: sfq perturb 20 tc qdisc add dev $LOCALIF parent 2:3 handle 30: sfq perturb 20 tc qdisc add dev $LOCALIF parent 2:4 handle 40: tbf rate $(($RATE-40))kbit burst 1600 limit 3000 } create_filters() { # Match SYN and RST packets iptables -t mangle -A POSTROUTING -o $LOCALIF -p tcp -m tcp --tcp-flags ! SYN,RST,ACK ACK -j CLASSIFY --set-class 2:1 # Match ACK packets iptables -t mangle -A POSTROUTING -o $LOCALIF -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length :128 -m tos ! --tos Normal-Service -j CLASSIFY --set-class 2:1...

Hi all, I am running Slackware 10.1 with Kernel 2.6.14.3 includes iptables 1.3.4 with layer 7 My network diagram below: - INTERNET --- LINUX_ROUTER_FW --- PCs Below is my simple iptables script: - echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t mangle -A POSTROUTING -m layer7 --l7proto applejuice -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto ares -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 1 iptables -t mangle -A...

...rence is that I am trying to use just one external network interface, which is connected through a hub/switch to both of the ISP links. I add two different IPs to this interface, corresponding to each providers network. Then the masquerading is done with a rule like this: # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of: # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12 # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 205.254.211.179 For the traffic that is generated in the LAN behind the box, it works, but for the traffic that is generated...

...ch number of packet, total byte in each application protocol by using IPTABLES + netfilter-layer7 but i don''t know which script for getting it in log file and use data after get it for plotting graph later my IPTABLES command like this iptables -t mangle -N all iptables -t mangle -A POSTROUTING -j all iptables -t mangle -A POSTROUTING -p udp --sport 4444 -j CLASSIFY --set-class 1:11 iptables -t mangle -A POSTROUTING -m layer7 --l7proto mms -j CLASSIFY --set-class 1:12 iptables -t mangle -A POSTROUTING -m layer7 --l7proto telnet -j CLASSIFY --set-class 1:13 iptables -t mangle -A POSTRO...

...gs: device vif1.0 entered promiscuous mode alloc irq_desc for 1246 on node 0 alloc kstat_irqs on node 0 brI: port 2(vif1.0) entering learning state device vif1.1 entered promiscuous mode brE: port 2(vif1.1) entering learning state physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is n...

...stand what is going on and what is wrong with it. This could also be related somewhat to https://www.redhat.com/archives/libvir-list/2013-September/msg01311.html but I suppose it is not exactly that thing. I've already figured the source of trouble is anyway related to these rules added: -A POSTROUTING -o br0 -j MASQUERADE -A POSTROUTING -o enp0s25 -j MASQUERADE -A POSTROUTING -o virbr2_nic -j MASQUERADE -A POSTROUTING -o vnet0 -j MASQUERADE Here, virbr2_nic and vnet0 are used by libvirt for arranging network configurations for VMs, ok. However, br0 is a main interface of this host with primar...

...(tried v. 0.8, 0.8.2) 4. chains and NAT are created according to official nftables wiki https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT): % nft add table nat % nft add chain nat prerouting { type nat hook prerouting priority 0 \; } % nft add chain nat postrouting { type nat hook postrouting priority 100 \; } By this set-up, dnat functions as expected, e.g.: % nft add rule nat prerouting tcp dport 15000 dnat 192.168.0.50:20000 redirects all incoming TCP packets from port 15000 to 192.168.0.50:20000 and back. However, no snat rule is processed (neither r...

...y.y.10 proto static table 202 ip route append prohibit default table 202 metric 1 proto static #table 222 ip rule add prio 222 table 222 ip route add default equalize table 222 proto static nexthop via x.x.x.233 dev eth1 nexthop via y.y.y.9 dev eth0 #essential masquerade option iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j MASQUERADE Above is my setup when try to traceroute to yahoo.com iam able to see the trafffic going to both interfaces.. till now works fine when i connected to eth2 ( eth2 of linux box configured IP 192.168.3.2) with my Laptop using ip 192.168.3.1 gateway 192.168.3.2( lin...

...rites with iptables using MARKed packets.. works very well , I run a ftpserver + webserver so it''s usefull to set these 2 with lowest priority and my multiplayer gaming running on certain UDP ports with the highest priority. The problem now is that dsl_qos_queue adds a QUEUE Target to the POSTROUTING chain for reading the MARKed packets , and i recently added a -j ROUTE target for my load balancing configuration to this chain: /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 0 -j ROUTE --oif ppp1 /sbin/iptables -A POSTROUTING -o ppp+ -t m...

I''m a new comer. I have problems using tc+htb. I run the following commands, and expect outgoing ssh flow goes into 1:11. But actually it goes into default 12. What''s wrong? tc qdisc add dev eth0 root handle 1: htb default 12 tc class add dev eth0 parent 1: classid 1:1 htb rate 1000kbit ceil 2000kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:11 htb rate 100kbit ceil

Hello everyone... I have a little trouble and need some help :P How can I check on which interface the packet is going (eth0, eth1; I have two ISP and on eth3 little LAN), using to check it TC and IMQ? (HTB script) I tried to mark packets, but on chain POSTROUTING this does not work... Maybe because packets fall on IMQ before signing. I tried marking it on FORWARD but packets also didn''t hit their class. PREROUTING is working(!), but with this I can only queued download traffic. Problem is very essential. I need to distinguish on which interface...

...d to the LAN having the IP=LAN_IP eth1 is connected to the first ISP having IP=ISP_IP_1 and GW=ISP_GW_1 eth2 is connected to the second ISP having IP=ISP_IP_2 and GW=ISP_GW_2 I need to selectively SNAT clients in the LAN to ISP_IP_1 or ISP_IP_2. That would be something like: $IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source $ISP_IP_1 $IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source $ISP_IP_2 This does not work since all the packets are forwarded to the default GW which is ISP_GW_1. How can I change this? As far as I remember, the routing decisions and policy are...

...:c0:df:f7:7c:3b -j ACCEPT $ipt -A computer2 -m mac --mac-source 00:06:4f:0f:3b:c1 -j ACCEPT $ipt -A computer3 -m mac --mac-source 00:0c:6e:90:39:6a -j ACCEPT $ipt -A computer4 -m mac --mac-source 00:90:27:5f:5e:78 -j ACCEPT $ipt -A computer5 -m mac --mac-source 00:90:27:9b:3c:a2 -j ACCEPT $ipt -A POSTROUTING -t nat -s 192.168.10.2 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.3 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.4 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.5 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.6 -j MASQUERADE #$ipt -P FORWARD DROP -----------...