How do I verify marked packets?
 

I'm setting up things like this so that I can send web traffic via different routers. (like: all web requests from internal to outside go via rogers, but any inbound requests to my webserver go via acanac)

-A PREROUTING -p tcp --sport 80 -s 172.29.0.19 -j MARK --set-mark 4


How do I see the mark in tcpdump? how can I send a test package and see which route it takes? How do I verify the rules are working:

ip rule
0: from all lookup local
32763: from all fwmark 0x6 lookup vpn
32764: from all fwmark 0x2 lookup rogers
32765: from all fwmark 0x4 lookup acanac
32766: from all lookup main
32767: from all lookup default

Never mind seems I found it. Seems that the outbound packets were not getting marked. I had to add this line for that.

-A OUTPUT -p tcp --sport 80 -s 172.29.0.19 -j MARK --set-mark 4

Edited:

oh ya and added this to figure out out what was going on:

-A OUTPUT -p tcp --sport 80 -j LOG --log-level 4 --log-prefix "firewall debug http: "

You wont see those MARKS by tcpdump. They are for netfilter&kernel. As long as understand those marks even do not go out.