How to mark outbound FTP traffic with iptables?

Question

i have a user called "testuser" in my debian system and i want to mark the FTP traffic going from testuser's account

how can i do that?

i use following commands to mark all the outgoing traffic for "testuser"

iptables -t mangle -N HTB_OUT
iptables -t mangle -I POSTROUTING -j HTB_OUT
iptables -t mangle -A HTB_OUT -m owner --uid-owner testuser -j MARK --set-mark 10

how to set two marks for "testuser"? one for FTP traffic only and one for all other traffic?

score 0 · Accepted Answer · answered Dec 10 '12 at 18:08

0

Add a --dport (--destination-port) option. You'll need at least two of them - 20:21 for FTP traffic and !20:21 for non-FTP.

answered Dec 10 '12 at 18:08

John

9,070
1
29
34

can you please show me how to combine it with "-m owner --uid-owner testuser -j MARK --set-mark" ? – Gihan Lasita Dec 10 '12 at 18:28
You simply add it as an option to the command line. – John Dec 10 '12 at 19:00
it gives me error "invalid argument" when its added to this "iptables -t mangle -A HTB_OUT -m owner --uid-owner testuser -j MARK --set-mark 10" – Gihan Lasita Dec 10 '12 at 19:43
Try "man iptables" – John Dec 10 '12 at 20:19
thanks by adding "-p tcp --dport 20:21" command executed without errors but not for "-p tcp --dport !20:21" it gives "-bash: !20: event not found" – Gihan Lasita Dec 11 '12 at 09:11
after few experiments it works with space between ! and 20 "p tcp --dport ! 20:21" – Gihan Lasita Dec 11 '12 at 10:09

How to mark outbound FTP traffic with iptables?

1 Answers1