trouble marking UP & DOWN traffic

titius · October 20, 2007, 1:09pm

Hi.

Im having truble marking my trafic on a rotuer that is connected to internet.

I have LAN and WAN interface, and I cant mangle download traffic here is my setup

 0   chain=prerouting src-address-list=twi dst-address-list=!twi 
     action=mark-connection new-connection-mark=UPLOAD passthrough=yes 

 1   chain=prerouting connection-mark=UPLOAD src-address-list=twi 
     dst-address-list=!twi action=mark-packet new-packet-mark=UPLOAD_P 
     passthrough=yes 

 2   chain=prerouting src-address-list=!twi dst-address-list=twi 
     action=mark-connection new-connection-mark=DOWNLOAD passthrough=yes 

 3   chain=prerouting connection-mark=DOWNLOAD src-address-list=!twi 
     dst-address-list=twi action=mark-packet new-packet-mark=DOWNLOAD_P 
     passthrough=yes

Only UPLOAD traffic is counted.
What am I doing wrong?

galaxynet · November 4, 2007, 12:47pm

titius -
rule 3

chain=prerouting connection-mark=DOWNLOAD src-address-list=!twi
dst-address-list=twi action=mark-packet new-packet-mark=DOWNLOAD_P
passthrough=yes

should read: chain=prerouting connection-mark=DOWNLOAD action=mark-packet new-packet-mark=DOWNLOAD_P passthrough=yes

You already specified in rule 2 your address requirements… Also - do you have addresses in your TWI list?

Also in the case of what you are doing… I don’t usually specify the src address (rule 2) I would specify the incoming interface instead…much ‘cleaner’ that way.

titius · November 7, 2007, 12:20pm

Yes but then counters do not match .

I tried with in out interface and without connection list but id doesnt work I mean it counts something but connectiom mark counter and packet mark counter ar not counting equally.

I solved download marking with POSTROUTING chain .

But still dont understand how it works .

galaxynet · November 7, 2007, 1:08pm

titius -
Ok - best way to solve this issue is - what is it you are actually trying to achieve here?

Traffic control, multiple gateways, tracking users, bandwidth counters, what?

titius · November 7, 2007, 5:06pm

To mark traffic, monitor by ports, and QoS .

galaxynet · November 9, 2007, 11:53am

Titus -
This is the type of marking I do in Mangle… This marks the particualr type of traffic. This is not all of the rules this is just a sample to see if this is what you are looking for… After the traffic is marked then you can do other things to it… I am not sure how fine you want your control to be.

I tried with in out interface and without connection list but id doesnt work I mean it counts something but connectiom mark counter and packet mark counter ar not counting equally

You are probably never going to get the counters to count exactly equal. There will always be connections that get dropped, probes, scans, all kinds of things.

add chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-services
add chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-services
add chain=prerouting connection-state=new action=jump jump-target=other-services

add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-connection new-connection-mark=ftp passthrough=no
add chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-connection new-connection-mark=ssh passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-connection new-connection-mark=telnet passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-connection new-connection-mark=smtp passthrough=no
add chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-connection new-connection-mark=pop3 passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-connection new-connection-mark=auth passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-connection new-connection-mark=nntp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-connection new-connection-mark=imap passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162 action=mark-connection new-connection-mark=snmp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-connection new-connection-mark=https passthrough=no

galaxynet · November 9, 2007, 11:54am

Titus -
This is the type of marking I do in Mangle… This marks the particualr type of traffic. This is not all of the rules this is just a sample to see if this is what you are looking for… After the traffic is marked then you can do other things to it… I am not sure how fine you want your control to be.

I tried with in out interface and without connection list but id doesnt work I mean it counts something but connectiom mark counter and packet mark counter ar not counting equally

You are probably never going to get the counters to count exactly equal. There will always be connections that get dropped, probes, scans, all kinds of things.

add chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-services
add chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-services
add chain=prerouting connection-state=new action=jump jump-target=other-services

add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-connection new-connection-mark=ftp passthrough=no
add chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-connection new-connection-mark=ssh passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-connection new-connection-mark=telnet passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-connection new-connection-mark=smtp passthrough=no
add chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-connection new-connection-mark=pop3 passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-connection new-connection-mark=auth passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-connection new-connection-mark=nntp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-connection new-connection-mark=imap passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162 action=mark-connection new-connection-mark=snmp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-connection new-connection-mark=https passthrough=no