On Mon, 25 Nov 2002, Robert Penz wrote:

> could you please tell me how you match ssh and not scp with iptables?

I did almost the same as Martin suggested:

| So, one *should* be able to do something like this:
| # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain
| # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain

# (ssh)
# $IPTABLES -A PREROUTING -t mangle -p tcp --dport 22 \
#  -m tos ! --tos Maximize-Throughput \
#  -j MARK --set-mark 2

# (scp)
# $IPTABLES -A PREROUTING -t mangle -p tcp --dport 22 \
#  -m tos --tos Maximize-Throughput \
#  -j MARK --set-mark 8

it works for me but I'm not sure if it is in general correct.


