Iptables checksum question

Hi,

Iptables question: we've managed to get ip tables working on the
ingress router to the extent that it modifies QOS bits on the IP
header as desired if the destination port is a match to the iptables
command. We'd like to have this work both ways - i.e. put communiction
over a particular port in a special diffserv class. However, when we
add the same iptables command to the egress router, the checksum is
incorrect when it arrives at the end host (Ethereal tell us this).

Question: what are we doing wrong? Is this a bug in iptables, or more
likely a lack of understanding on our part? Any answers/help much
appreciated.

Best Regards,
Sam90

samhunt90@hotmail.com (Sam) wrote in message news:<e20518e0.0407261730.347d1835@posting.google. com>...
> Hi,
>
> Iptables question: we've managed to get ip tables working on the
> ingress router to the extent that it modifies QOS bits on the IP
> header as desired if the destination port is a match to the iptables
> command. We'd like to have this work both ways - i.e. put communiction
> over a particular port in a special diffserv class. However, when we
> add the same iptables command to the egress router, the checksum is
> incorrect when it arrives at the end host (Ethereal tell us this).
>
> Question: what are we doing wrong? Is this a bug in iptables, or more
> likely a lack of understanding on our part? Any answers/help much
> appreciated.
>
> Best Regards,
> Sam90

I still don't have an answer - however, I think I can avoid the
packets from getting processed twice by iptables (on in each router)
simply by specifying the interface, i.e., they should only be
processed by the ingress router, and no other. Hopefully that will do
the trick.

Sam90