William Bohannan
2007-10-30 09:16:29 UTC
Hi
Having a problem trying to figure out how to shape local services
running on the debian box (asterisk, squid etc) as currently the voice
only seems to be getting shaped one way when making external calls. For
example I have the rules below (these are the matching rules only not
the actual policy rules):
#Create Chain for local traffic (outbound)
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s
193.xxx.xxx.66 -d 193.xxx.xxx.69 -j MARK --set-mark 0x44444445
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s
193.xxx.xxx.66 -d 193.xxx.xxx.69 -j RETURN
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s
193.xxx.xxx.69 -d 193.xxx.xxx.66 -j MARK --set-mark 0x44444445
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s
193.xxx.xxx.69 -d 193.xxx.xxx.66 -j RETURN
#Create Chain for all remaining traffic (outbound)
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -j
MARK --set-mark 0x44444446
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -j
RETURN
#Phones match (outbound)
/sbin/iptables -t mangle -A match-chain-eth1-1:11 -p tcp -m multiport
--port 4569 -j CLASSIFY --set-class 1:1006
/sbin/iptables -t mangle -A match-chain-eth1-1:11 -p tcp -m multiport
--port 4569 -j RETURN
/sbin/iptables -t mangle -A match-chain-eth1-1:11 -p udp -m multiport
--port 4569 -j CLASSIFY --set-class 1:1006
/sbin/iptables -t mangle -A match-chain-eth1-1:11 -p udp -m multiport
--port 4569 -j RETURN
#Create Chain for local traffic (inbound)
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s
193.xxx.xxx.66 -d 193.xxx.xxx.69 -j MARK --set-mark 0x44444447
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s
193.xxx.xxx.66 -d 193.xxx.xxx.69 -j RETURN
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s
193.xxx.xxx.69 -d 193.xxx.xxx.66 -j MARK --set-mark 0x44444447
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s
193.xxx.xxx.69 -d 193.xxx.xxx.66 -j RETURN
#Create Chain for all remaining traffic (inbound)
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -j
MARK --set-mark 0x44444448
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -j
RETURN
#Phones match (inbound)
/sbin/iptables -t mangle -A match-chain-eth0-1:12 -p tcp -m multiport
--port 4569 -j CLASSIFY --set-class 1:2008
/sbin/iptables -t mangle -A match-chain-eth0-1:12 -p tcp -m multiport
--port 4569 -j RETURN
/sbin/iptables -t mangle -A match-chain-eth0-1:12 -p udp -m multiport
--port 4569 -j CLASSIFY --set-class 1:2008
/sbin/iptables -t mangle -A match-chain-eth0-1:12 -p udp -m multiport
--port 4569 -j RETURN
Kind Regards
William Bohannan
Having a problem trying to figure out how to shape local services
running on the debian box (asterisk, squid etc) as currently the voice
only seems to be getting shaped one way when making external calls. For
example I have the rules below (these are the matching rules only not
the actual policy rules):
#Create Chain for local traffic (outbound)
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s
193.xxx.xxx.66 -d 193.xxx.xxx.69 -j MARK --set-mark 0x44444445
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s
193.xxx.xxx.66 -d 193.xxx.xxx.69 -j RETURN
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s
193.xxx.xxx.69 -d 193.xxx.xxx.66 -j MARK --set-mark 0x44444445
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s
193.xxx.xxx.69 -d 193.xxx.xxx.66 -j RETURN
#Create Chain for all remaining traffic (outbound)
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -j
MARK --set-mark 0x44444446
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -j
RETURN
#Phones match (outbound)
/sbin/iptables -t mangle -A match-chain-eth1-1:11 -p tcp -m multiport
--port 4569 -j CLASSIFY --set-class 1:1006
/sbin/iptables -t mangle -A match-chain-eth1-1:11 -p tcp -m multiport
--port 4569 -j RETURN
/sbin/iptables -t mangle -A match-chain-eth1-1:11 -p udp -m multiport
--port 4569 -j CLASSIFY --set-class 1:1006
/sbin/iptables -t mangle -A match-chain-eth1-1:11 -p udp -m multiport
--port 4569 -j RETURN
#Create Chain for local traffic (inbound)
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s
193.xxx.xxx.66 -d 193.xxx.xxx.69 -j MARK --set-mark 0x44444447
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s
193.xxx.xxx.66 -d 193.xxx.xxx.69 -j RETURN
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s
193.xxx.xxx.69 -d 193.xxx.xxx.66 -j MARK --set-mark 0x44444447
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s
193.xxx.xxx.69 -d 193.xxx.xxx.66 -j RETURN
#Create Chain for all remaining traffic (inbound)
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -j
MARK --set-mark 0x44444448
/sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -j
RETURN
#Phones match (inbound)
/sbin/iptables -t mangle -A match-chain-eth0-1:12 -p tcp -m multiport
--port 4569 -j CLASSIFY --set-class 1:2008
/sbin/iptables -t mangle -A match-chain-eth0-1:12 -p tcp -m multiport
--port 4569 -j RETURN
/sbin/iptables -t mangle -A match-chain-eth0-1:12 -p udp -m multiport
--port 4569 -j CLASSIFY --set-class 1:2008
/sbin/iptables -t mangle -A match-chain-eth0-1:12 -p udp -m multiport
--port 4569 -j RETURN
Kind Regards
William Bohannan