You are not logged in.

#1 2010-12-10 18:59:11

Cadynum
Member
Registered: 2010-04-15
Posts: 20

iptables + iproute2 + fwmark doesn't work

Hey, I'm trying to route packets with the help of iptables and iproute2 rules, but I'm not able to get it to work.

Basically what i want to do is mark packets with iptables, and then match them with ip rule fwmark.

This is what i have done this far, and it's not working:

iptables -t mangle -A OUTPUT -p tcp --sport 80 -j MARK --set-mark 0xa
iptables -t mangle -A PREROUTING -p tcp --sport 80 -j MARK --set-mark 0xa
ip rule add fwmark 0xa lookup fake prio 33
ip route flush cache

The fake table:

# ip route show table fake
default via 213.112.240.1 dev fake0 

Rules:

# ip rule
0:    from all lookup local 
33:    from all fwmark 0xa lookup fake 
32766:    from all lookup main 
32767:    from all lookup default 

However, fwmark 0xa seems to just be ignored, and the main routing table is used instead.
By looking at "iptables --list -t mangle -v -n" I can see that iptables do report the packets sent via port 80 as marked, but for some reason the rule fwmark doesn't work.


I'm unexperienced fiddling with routes, and I've tried to make this work now for quite some time without success. Any help is greatly appreciated.

Offline

#2 2010-12-10 19:39:33

Sin.citadel
Member
Registered: 2008-01-22
Posts: 267

Re: iptables + iproute2 + fwmark doesn't work

you should try marking destination port 80 and browse websites to see if the new route is used, if it is, then the problem might be with your network logic

Offline

#3 2010-12-10 20:25:04

Cadynum
Member
Registered: 2010-04-15
Posts: 20

Re: iptables + iproute2 + fwmark doesn't work

Sin.citadel wrote:

you should try marking destination port 80 and browse websites to see if the new route is used, if it is, then the problem might be with your network logic

I tried that and it does nothing different than sport.
Even with the following it does nothing:

iptables -t mangle -A OUTPUT -j MARK --set-mark 0xa
iptables -t mangle -A PREROUTING -j MARK --set-mark 0xa

Offline

#4 2010-12-10 21:12:46

Sin.citadel
Member
Registered: 2008-01-22
Posts: 267

Re: iptables + iproute2 + fwmark doesn't work

use set-mark=1 when setting mark, also, add the rule to all the mangle table chains, you can remove the redundant rules later.

ip rule add fwmark 0x1 table fake

you should know that rules are read according to priority, if your route fails, the kernel automatically use the route below that, so if your gateway is down or not functioning, the system will use the default routes

Offline

#5 2010-12-10 21:26:55

Cadynum
Member
Registered: 2010-04-15
Posts: 20

Re: iptables + iproute2 + fwmark doesn't work

Sin.citadel wrote:

use set-mark=1 when setting mark, also, add the rule to all the mangle table chains, you can remove the redundant rules later.

ip rule add fwmark 0x1 table fake

you should know that rules are read according to priority, if your route fails, the kernel automatically use the route below that, so if your gateway is down or not functioning, the system will use the default routes

# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere            MARK set 0x1 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere            MARK set 0x1 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere            MARK set 0x1 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere            MARK set 0x1 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere            MARK set 0x1 
 # ip rule
0:    from all lookup local 
1:    from all fwmark 0x1 lookup fake 
32766:    from all lookup main 
32767:    from all lookup default 

Yet it still skips my fake route.
If i do "ip rule add lookup fake prio 3" for example, it uses the fake table like it should. For some reason fwmark doesn't seem to read the mark, or iptables doesn't mark it.

Offline

#6 2010-12-11 03:27:46

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: iptables + iproute2 + fwmark doesn't work

isn't the format supposed to be something like...:

ip rule add from all fwmark 0xa prio 33 table fake

"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#7 2010-12-11 13:06:24

Cadynum
Member
Registered: 2010-04-15
Posts: 20

Re: iptables + iproute2 + fwmark doesn't work

cactus wrote:

isn't the format supposed to be something like...:

ip rule add from all fwmark 0xa prio 33 table fake

I tried that too, but it didn't make any difference.

Offline

#8 2011-01-20 00:46:22

dbht
Member
Registered: 2011-01-20
Posts: 1

Re: iptables + iproute2 + fwmark doesn't work

Hello Cadynum,

Did you get you setup working? - I'm getting the same issue on my setup too. I need to mark some packets to go from one interface but I'm unable to accomplish it).

If you have it working, please share with me your findings.

Regards,

Davi

Offline

#9 2011-01-21 23:56:53

Cadynum
Member
Registered: 2010-04-15
Posts: 20

Re: iptables + iproute2 + fwmark doesn't work

Unfortunately, no.
After having tried for way too long I eventually gave up. If you do get it working please tell me how.

Offline

#10 2012-03-04 13:11:15

petter
Member
From: Sandvika, Norway
Registered: 2009-11-01
Posts: 8

Re: iptables + iproute2 + fwmark doesn't work

I realize this is an old thread. But seeing as there's little information about this to be found, i thought i should update this unresolved thread with my findings.


Apparently the source address of a package is set before the fwmark routing table is looked up. Packages sent out on a non-default interface (based on fwmark) will thus have the source address of the default interface. [Ref]
I solved this with SNAT, and the following line makes all locally generated packages going out the non-default interface, my case eth0, have the source address of eth0.

sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.56.52.80

Also disable source route verification for the non-default interface.

sudo sysctl -w net.ipv4.conf.eth0.rp_filter=0

Offline

Board footer

Powered by FluxBB