Problem with mangle

rado3105 · Sun Sep 04, 2011 4:41 pm

Hi, I use this rule to mark p2p-downloaders and put them in address list:
1.rule

3   chain=forward action=add-dst-to-address-list p2p=all-p2p 
     address-list=p2p-downloaders address-list-timeout=2h in-interface=ether1

those rules should catch all traffic from udp(marked as p2p-downloaders) between ports 10000-65535, but it doesnt and part of that ports passtrough to 3. rule
2.rules group

 chain=prerouting action=mark-connection new-connection-mark=p2p_conn passthrough=yes p2p=all-p2p 
     in-interface=ether1 
     chain=prerouting action=mark-packet new-packet-mark=p2p_down passthrough=no connection-mark=p2p_conn 
     chain=prerouting action=mark-packet new-packet-mark=p2p_down passthrough=no layer7-protocol=bittorrent 
     in-interface=ether1 
     chain=prerouting action=mark-packet new-packet-mark=p2p_down passthrough=no layer7-protocol=ares in-interface=ether1
     chain=forward action=mark-connection new-connection-mark=p2p-conn passthrough=yes protocol=udp 
     dst-address-list=p2p-downloaders in-interface=ether1 src-port=10000-65535 
     chain=prerouting action=mark-packet new-packet-mark=p2p_down passthrough=no in-interface=ether1 
     connection-mark=p2p-down-conn

3.rule

chain=prerouting action=mark-packet new-packet-mark=udp_other_rx passthrough=no protocol=udp in-interface=ether1

4. rule:

chain=prerouting action=mark-packet new-packet-mark=internet_other_rx passthrough=no 
     connection-mark=internet_other_rx_conn

rules: 1., 2., 3., 4. are for ingoing traffic, ether1 is internet port.

5. rules group:

chain=postrouting action=mark-packet new-packet-mark=p2p_up passthrough=no p2p=all-p2p out-interface=ether1 
      chain=postrouting action=mark-packet new-packet-mark=p2p_up passthrough=no layer7-protocol=bittorrent 
      out-interface=ether1 
      chain=postrouting action=mark-packet new-packet-mark=p2p_up passthrough=no layer7-protocol=ares out-interface=ether1
      chain=postrouting action=mark-connection new-connection-mark=p2p-up-conn passthrough=yes protocol=udp 
      src-address-list=p2p-downloaders out-interface=ether1 dst-port=10000-65535 
      chain=postrouting action=mark-packet new-packet-mark=p2p_up passthrough=no out-interface=ether1 
      connection-mark=p2p-up-conn

5. rule:

chain=postrouting action=mark-connection new-connection-mark=p2p-up-tcp-conn passthrough=yes protocol=tcp 
     out-interface=ether1 dst-port=10000-65535 
    chain=postrouting action=mark-packet new-packet-mark=p2p_up passthrough=no src-address-list=p2p-downloaders 
     out-interface=ether1 connection-mark=p2p-up-tcp-conn

Also when I enable 5. rule, there is some problem with second rules group when I enable 5. rule, all traffic starts to mark no in group 3. but in 4. rule.

Chupaka · Mon Sep 05, 2011 12:28 pm

Problem with mangle

Problem with mangle

Re: Problem with mangle

Who is online