[Firehol-support] marks and speed
Whit Blauvelt
whit at transpect.com
Sat Jan 24 13:50:20 GMT 2015
On Sat, Jan 24, 2015 at 03:12:30PM +0200, Tsaousis, Costa wrote:
> The FireHOL suite (firehol, fireqos, link-balancer) now supports
> internally 2 types of marks: usermarks and connmarks.
Nice!
The way I've been enabling Openswan IPsec to work from a server with the
previous FireHOL is like this (in firehol.conf ahead of the standard stuff):
# IPsec mangling
# Mark IPsec, and allow decrypted IPsec
iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # udp/isakmp
iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT
# don't SNAT IPsec
rightsubnets=( 172.30.0.0/24 10.242.0.0/22 172.16.11.0/24 )
for rightsubnet in "${rightsubnets[@]}"; do
iptables -t nat -I POSTROUTING -d $rightsubnet -j ACCEPT
done
What would the translation of that to the new FireHOL syntax look like?
Thanks,
Whit
More information about the Firehol-support
mailing list