You are not logged in.
Hey, I'm trying to route packets with the help of iptables and iproute2 rules, but I'm not able to get it to work.
Basically what i want to do is mark packets with iptables, and then match them with ip rule fwmark.
This is what i have done this far, and it's not working:
iptables -t mangle -A OUTPUT -p tcp --sport 80 -j MARK --set-mark 0xa
iptables -t mangle -A PREROUTING -p tcp --sport 80 -j MARK --set-mark 0xa
ip rule add fwmark 0xa lookup fake prio 33
ip route flush cache
The fake table:
# ip route show table fake
default via 213.112.240.1 dev fake0
Rules:
# ip rule
0: from all lookup local
33: from all fwmark 0xa lookup fake
32766: from all lookup main
32767: from all lookup default
However, fwmark 0xa seems to just be ignored, and the main routing table is used instead.
By looking at "iptables --list -t mangle -v -n" I can see that iptables do report the packets sent via port 80 as marked, but for some reason the rule fwmark doesn't work.
I'm unexperienced fiddling with routes, and I've tried to make this work now for quite some time without success. Any help is greatly appreciated.
Offline
you should try marking destination port 80 and browse websites to see if the new route is used, if it is, then the problem might be with your network logic
Offline
you should try marking destination port 80 and browse websites to see if the new route is used, if it is, then the problem might be with your network logic
I tried that and it does nothing different than sport.
Even with the following it does nothing:
iptables -t mangle -A OUTPUT -j MARK --set-mark 0xa
iptables -t mangle -A PREROUTING -j MARK --set-mark 0xa
Offline
use set-mark=1 when setting mark, also, add the rule to all the mangle table chains, you can remove the redundant rules later.
ip rule add fwmark 0x1 table fake
you should know that rules are read according to priority, if your route fails, the kernel automatically use the route below that, so if your gateway is down or not functioning, the system will use the default routes
Offline
use set-mark=1 when setting mark, also, add the rule to all the mangle table chains, you can remove the redundant rules later.
ip rule add fwmark 0x1 table fake
you should know that rules are read according to priority, if your route fails, the kernel automatically use the route below that, so if your gateway is down or not functioning, the system will use the default routes
# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
Chain INPUT (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
Chain FORWARD (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
# ip rule
0: from all lookup local
1: from all fwmark 0x1 lookup fake
32766: from all lookup main
32767: from all lookup default
Yet it still skips my fake route.
If i do "ip rule add lookup fake prio 3" for example, it uses the fake table like it should. For some reason fwmark doesn't seem to read the mark, or iptables doesn't mark it.
Offline
isn't the format supposed to be something like...:
ip rule add from all fwmark 0xa prio 33 table fake
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
isn't the format supposed to be something like...:
ip rule add from all fwmark 0xa prio 33 table fake
I tried that too, but it didn't make any difference.
Offline
Hello Cadynum,
Did you get you setup working? - I'm getting the same issue on my setup too. I need to mark some packets to go from one interface but I'm unable to accomplish it).
If you have it working, please share with me your findings.
Regards,
Davi
Offline
Unfortunately, no.
After having tried for way too long I eventually gave up. If you do get it working please tell me how.
Offline
I realize this is an old thread. But seeing as there's little information about this to be found, i thought i should update this unresolved thread with my findings.
Apparently the source address of a package is set before the fwmark routing table is looked up. Packages sent out on a non-default interface (based on fwmark) will thus have the source address of the default interface. [Ref]
I solved this with SNAT, and the following line makes all locally generated packages going out the non-default interface, my case eth0, have the source address of eth0.
sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.56.52.80
Also disable source route verification for the non-default interface.
sudo sysctl -w net.ipv4.conf.eth0.rp_filter=0
Offline