[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: tor bandwith ratio

On Fri, Oct 13, 2006 at 02:45:39PM +0200, gabrix wrote:
> I have this in my iptables script:
> ># TOR
> >iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j MARK 
> >--set-mark 2
> >iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j RETURN
> >iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j MARK 
> >--set-mark 2
> >iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j RETURN
> as 2 tor has a high priority,now is on 5 .

Uhhh... What is that supposed to do? I only see that you mark the traffic,
then immediately leaving the chain.

Only marking them doesn't do anything. You usually mark the traffic if you
want to handle it differently later, either with the mark-match inside
iptables again, via the fwmark-option in iproute2 or tc.

> An another question is :if  i announce port 110  and redirect traffic to 
> 9090 which port shall i consider as priority in the above iptables  ?
> Silly question isn't ?

If you're going to redirect the traffic you won't acchieve anything - you need
to consider the way the packets traverse through the indiviudal chains inside
the Netfilter framework.

1) Packet enters machine
2) Packet enters mangle-table, PREROUTING chain (you may MARK here)
3) Packet enters nat-table, PREROUTING chain (DNAT/redirection happens here)
4) Packet enters Linux routing-code (tc and iproute2 use fwmark here) (*)
5) Packet enters filter-table, FORWARD chain (usual filtering-rules)
6) Packet enters mangle-table, POSTROUING chain (do some stuff)
7) Packet enters nat-table, POSTROUTING chain (SNAT and MASQUERADE)

Coming back to your question: Since redirecting happens in step 3 you already
missed the point where the packet got marked. Therefore: No, that won't
happen. You'd need to mark the packet in the PREROUTING chain of the
mangle-table onto port 110, and THEN redirecting it.
That's the way it work with the Netfilter stuff.

Where and how are you actually accessing the packets you've marked with MARK

I repeat: Only MARKing does nothing. It just puts a label on the packet to
identify the packets in other parts of the kernel. 


(*) I'm not sure where tc integrates itself; but i think that happens in the
routing-code. Please correct me if I'm wrong. However, that doesn't help you
with your MARK and DNAT problem.

"I am tired of all this sort of thing called science here... We have spent
millions in that sort of thing for the last few years, and it is time it
should be stopped."
 -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901. 

Attachment: signature.asc
Description: Digital signature