Re: ip route fwmark with iptables -set--mark

• To: Jean Christophe ANDRÉ <[email protected]>
• Subject: Re: ip route fwmark with iptables -set--mark
• From: "kaiwen" <[email protected]>
• Date: Mon, 5 Jan 2004 16:08:00 +0800
• Cc: <[email protected]>
• Message-id: <[email protected]>
• Old-return-path: <[email protected]>
• References: <[email protected]> <[email protected]>

Hi, Her I am trying something simpler. My objective is to make ip rule fwmark command work :) Network Diagram: --- 192.168.250.197 (eth0) Linux Box (eth1) 192.168.8.88 ------------- 192.168.8.122 (eth0) Windows XP Client Configuration done on Linux Box:- [root@g webauth]# iptables -t mangle -A PREROUTING -j MARK --set-mark 5 [root@g webauth]# iptables -t mangle -L Chain PREROUTING (policy ACCEPT) target prot opt source destination MARK all -- anywhere anywhere MARK set 0x5 [root@g webauth]# ip rule add fwmark 5 table test2 [root@g webauth]# ip rule 0: from all lookup local 32765: from all fwmark 5 lookup test2 32766: from all lookup main 32767: from all lookup 253 [root@g webauth]# ip ro show table test2 prohibit 192.168.8.122 I expect ping from 192.168.8.122 to 192.168.250.197 to be drop, BUT is is successful. Why? Did I miss out anything? Please advice. Thank you Kaiwen ----- Original Message ----- From: "Jean Christophe ANDRÉ" <[email protected]> To: "kaiwen" <[email protected]> Cc: <[email protected]> Sent: Thursday, December 04, 2003 8:45 PM Subject: Re: ip route fwmark with iptables -set--mark > Le jeudi 04 décembre 2003 à 18h27 (+0800), kaiwen écrivait : > > Routing Table: > > [root@son-ag webauth]# ip route show table main > > 192.168.250.0/24 dev eth0 scope link > > 127.0.0.0/8 dev lo scope link > > default via 192.168.250.254 dev eth0 > > Do you realy want to not have a route for network 192.168.8.0/24(eth1)? > > > [root@son-ag webauth]# ip route show table test > > 192.168.8.0/24 dev br0 scope link > > default via 192.168.250.254 dev eth0 > > Do you realy want to not have a route for network 192.168.250.0/24(eth0)? > > Also, take care of using bridge (br0) since iptables doesn't apply on it > without a kernel patch AFAIK. > > > 32765: from all fwmark d lookup test > > Ok. > > > [root@son-ag webauth]# iptables -t mangle -L > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > > MARK all -- anywhere anywhere MARK set 0x13 > > Take care that "anywere to anywere" means it applies for the return of > replies (ICMP echo-reply) to request (ICMP echo-request) too... > > > Ping from Client 192.168.8.134 to Router eth1 192.168.8.88, Ping FAILED. > > I think I am missing something in the configuration. > > I tried setting > > > ip rule add from 192.168.8.0/24 table test > > Ping is SUCCESS in this case. > > Probably because it uses table test for the ICMP echo-request, but > not for the ICMP echo-reply coming back... So you may need to be more > precise on your iptable mangle rule by specifying source addresses. > > Also, "tcpdump" is your friend to look for problem symptoms. > (use something like "tcpdump -lni any icmp") > > Regards, > -- > J.C. "プログフ" ANDRÉ <[email protected]> http://www.vn.refer.org/ > Coordonnateur technique régional / Associé technologie projet Reflets (CODA) > Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP) > Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam > Tél. : +84 4 9331108 Fax : +84 4 8247383 Mobile : +84 91 3248747 > ⎧ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint ⎫ > ⎩ ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html ⎭ > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact [email protected] > >