DSCP Tagging with iptables
- Postfix, iPhone, Apple Mail and the reject
- Updating the SSL certs on the Unifi Controller
- Firefox and org-protocol URL Capture
- System Hangs on Shutdown
- Let's Encrypt Certificates and Arch
- /bin/mail as MTA
- Filtering bots with erc
- DSCP Tagging with iptables
- Bitlbee, Purple-Sipe-Lync, and Certificates
- daemontools, Apache, and the Whole Process Group
- Comma Trouble
- Emacs DNS Mode
- Wrangling Namespaces in Python
- Using Skype from Emacs
- Choosing the Right Technology
- Django, Testing, and Sessions
- KMS, xvideo-intel, and Arch Linux
- Verizon UMW-190 and Arch Linux
- Hawking Range Extender and Linux
- CUPS driver for the Dell 1320C Printer on Arch
- SANE and the Canon LIDE 20
- Getting easypg working in Ubuntu
DSCP Tagging with iptables
Published 2013-11-01
I tag traffic coming out of servers I control – simplifies the network guys' life since I manage configurations with puppet. Linux, iptables, and DSCP tagging is a bit of a crazy maker – one great reference is http://www.tucny.com/Home/dscp-tos.
One aspect D. Tucny doesn't mention is that if you set the class, iptables will print the hex value when you list the rules:
# iptables -t mangle -A OUTPUT -d 10.1.2.3/32 -j DSCP --set-dscp-class AF21 # iptables -t mangle -L -v Chain OUTPUT (policy ACCEPT 8510K packets, 125G bytes) pkts bytes target prot opt in out source destination 0 0 DSCP all -- any any anywhere foo.example.com DSCP set 0x12
I add a comment to the rule to help:
# iptables -t mangle -A OUTPUT -d 10.1.2.3/32 -j DSCP --set-dscp-class AF21 \ -m comment \ --comment "set dscp class to AF21 for destination host foo.example.com"
Since my rule creation is templatized via puppet, I get a lot of this for free. Helps debugging, let me tell ya…
org-mode