Protocol Classifier, mark packet then queue tree?
Posted: Mon Aug 25, 2008 11:21 am
I follow famous article "Dmitry on Firewalling", then i tried to modify the configuration.
Why i can not mark packet with chain tcp-services ?
10 chain=tcp-services connection-mark=http action=mark-packet new-packet-mark=packet_http_in passthrough=no
so, no packet detected..
should i use chain prerouting instead tcp-services ? because with chain prerouting it works, the mark packet is counting.
then i will put the packet mark on Queue Tree, to do bandwidth limitation of HTTP Download, then SMTP Download, HTTPS Download, POP3 Download, etc.
[admin@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-services
1 chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-services
2 chain=prerouting connection-state=new action=jump jump-target=other-services
3 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-connection new-connection-mark=ftp
passthrough=no
4 chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-connection new-connection-mark=ssh
passthrough=no
5 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-connection new-connection-mark=telnet
passthrough=no
6 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-connection new-connection-mark=smtp
passthrough=no
7 chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
8 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns
passthrough=no
9 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http
passthrough=no
10 chain=tcp-services connection-mark=http action=mark-packet new-packet-mark=packet_http_in passthrough=no
11 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-connection new-connection-mark=pop
passthrough=no
12 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-connection new-connection-mark=auth
passthrough=no
13 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-connection new-connection-mark=nntp
passthrough=no
14 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-connection new-connection-mark=imap
passthrough=no
15 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162 action=mark-connection new-connection-mark=snmp
passthrough=no
16 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-connection new-connection-mark=https
passthrough=no
thanks,
yudi
Why i can not mark packet with chain tcp-services ?
10 chain=tcp-services connection-mark=http action=mark-packet new-packet-mark=packet_http_in passthrough=no
so, no packet detected..
should i use chain prerouting instead tcp-services ? because with chain prerouting it works, the mark packet is counting.
then i will put the packet mark on Queue Tree, to do bandwidth limitation of HTTP Download, then SMTP Download, HTTPS Download, POP3 Download, etc.
[admin@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-services
1 chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-services
2 chain=prerouting connection-state=new action=jump jump-target=other-services
3 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-connection new-connection-mark=ftp
passthrough=no
4 chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-connection new-connection-mark=ssh
passthrough=no
5 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-connection new-connection-mark=telnet
passthrough=no
6 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-connection new-connection-mark=smtp
passthrough=no
7 chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
8 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns
passthrough=no
9 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http
passthrough=no
10 chain=tcp-services connection-mark=http action=mark-packet new-packet-mark=packet_http_in passthrough=no
11 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-connection new-connection-mark=pop
passthrough=no
12 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-connection new-connection-mark=auth
passthrough=no
13 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-connection new-connection-mark=nntp
passthrough=no
14 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-connection new-connection-mark=imap
passthrough=no
15 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162 action=mark-connection new-connection-mark=snmp
passthrough=no
16 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-connection new-connection-mark=https
passthrough=no
thanks,
yudi