0

I found the following code snippet in the bitcoin source tree which is defined as part of a bash script to control the outbound connections on port 8333. Can someone explain me the exact working of the commands.

iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 8333 ! -d ${LOCALNET} -j MARK --set-mark 0x2
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 8333 ! -d ${LOCALNET} -j MARK --set-mark 0x2

Source file: https://github.com/bitcoin/bitcoin/blob/ad57b310bac44a7e470cf66276421f2bbc61b1f0/contrib/qos/tc.sh

bawejakunal
  • 1,678
  • 2
  • 25
  • 54

1 Answers1

0

Let's break this down.

  • -t mangle: the table being changed
  • -A OUTPUT: append this rule to the OUTPUT chain
  • -p tcp: protocol is tcp
  • -m tcp: load TCP module (this happens automatically with -p so this is superfluous)
  • --(d|s)port 8333: destination|source port is 8333 ! -d ${LOCALNET}: Destination is not in the local network
  • -j MARK: Jump to the MARK table (needed for --set-mark)
  • --set-mark 0x2: Set a mark on the packet to be handled by something else

The high level goal here is to set the 0x2 mark on the packet. From the comments on GitHub, that mark is used to limit the packets.

Nick Garvey
  • 2,980
  • 24
  • 31
  • suppose I have two bitcoind instances running on a same machine but different ports, for eg 8333 and 8444, such that the bitcoind instance bound to port 8333 is sending some data to port 8444, so will the above iptables restriction work in that case as well ? – bawejakunal Oct 30 '15 at 06:29