Re: ip route fwmark with iptables -set--mark

• To: Jean Christophe ANDRÉ <>
• Subject: Re: ip route fwmark with iptables -set--mark
• From: "kaiwen" <>
• Date: Mon, 5 Jan 2004 16:08:00 +0800
• Cc: <>
• Message-id: <>
• Old-return-path:
• References: <20031204124519.GE16843@virus.home>

Hi,

Her I am trying something simpler.
My objective is to make ip rule fwmark command work :)

Network Diagram:
--- 192.168.250.197 (eth0) Linux Box (eth1) 192.168.8.88 -------------
192.168.8.122 (eth0) Windows XP Client

Configuration done on Linux Box:-

[root@g webauth]# iptables -t mangle -A PREROUTING -j MARK --set-mark 5
[root@g webauth]# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere           MARK set 0x5

[root@g webauth]# ip rule add fwmark 5 table test2
[root@g webauth]# ip rule
0:      from all lookup local
32765:  from all fwmark        5 lookup test2
32766:  from all lookup main
32767:  from all lookup 253

[root@g webauth]# ip ro show table test2
prohibit 192.168.8.122

I expect ping from 192.168.8.122 to 192.168.250.197 to be drop, BUT is is
successful. Why?
Did I miss out anything? Please advice.

Thank you
Kaiwen

----- Original Message -----
From: "Jean Christophe ANDRÉ" 
To: "kaiwen" 
Cc: 
Sent: Thursday, December 04, 2003 8:45 PM
Subject: Re: ip route fwmark with iptables -set--mark


> Le jeudi 04 décembre 2003 à 18h27 (+0800), kaiwen écrivait :
> >    Routing Table:
> >    [root@son-ag webauth]# ip route show table main
> >    192.168.250.0/24 dev eth0  scope link
> >    127.0.0.0/8 dev lo  scope link
> >    default via 192.168.250.254 dev eth0
>
> Do you realy want to not have a route for network 192.168.8.0/24(eth1)?
>
> >    [root@son-ag webauth]# ip route show table test
> >    192.168.8.0/24 dev br0  scope link
> >    default via 192.168.250.254 dev eth0
>
> Do you realy want to not have a route for network 192.168.250.0/24(eth0)?
>
> Also, take care of using bridge (br0) since iptables doesn't apply on it
> without a kernel patch AFAIK.
>
> >    32765:  from all fwmark        d lookup test
>
> Ok.
>
> >    [root@son-ag webauth]# iptables -t mangle -L
> >    Chain PREROUTING (policy ACCEPT)
> >    target     prot opt source               destination
> >    MARK       all  --  anywhere             anywhere           MARK set
0x13
>
> Take care that "anywere to anywere" means it applies for the return of
> replies (ICMP echo-reply) to request (ICMP echo-request) too...
>
> >    Ping from Client 192.168.8.134 to Router eth1 192.168.8.88, Ping
FAILED.
> >    I think I am missing something in the configuration.
> >    I tried setting
> >    > ip rule add from 192.168.8.0/24 table test
> >    Ping is SUCCESS in this case.
>
> Probably because it uses table test for the ICMP echo-request, but
> not for the ICMP echo-reply coming back... So you may need to be more
> precise on your iptable mangle rule by specifying source addresses.
>
> Also, "tcpdump" is your friend to look for problem symptoms.
> (use something like "tcpdump -lni any icmp")
>
> Regards,
> --
> J.C. "プログフ" ANDRÉ  
> Coordonnateur technique régional / Associé technologie projet Reflets
(CODA)
> Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique
(BAP)
> Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam
> Tél. : +84 4 9331108   Fax : +84 4 8247383   Mobile : +84 91 3248747
> ⎧ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint
⎫
> ⎩ ou Word ; voir 
⎭
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>