Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 09-02-2015, 06:34 PM   #1
LQ Newbie
Registered: Sep 2015
Posts: 1

Rep: Reputation: Disabled
Unhappy I cannot find my mark after using "iptables --set-mark"

My machine has two network interfaces, one is wired (eth0) and the other one is wireless (wlan0). The wired one cannot connect to any external NTP server because there is a firewall outside. The wireless one has no such constraint.

Therefore, I want to route all NTP traffic to wlan0. As I know, the NTP traffic go through the UDP 123 port. What I have done is described below.

$ sudo echo "201 ntp.out" >> /etc/iproute2/rt_tables
$ sudo ip route add default via dev wlan0 table ntp.out

$ sudo sysctl -w net.ipv4.tcp_fwmark_accept=1
$ sudo iptables -t mangle -I PREROUTING -p udp --dport 123 -j MARK --set-mark 0xfefa
$ sudo iptables -t mangle -I OUTPUT -p udp --sport 123 -j MARK --set-mark 0xfefa
$ sudo ip rule add fwmark 0xfefa lookup ntp.out
However, it doesn't work. I used Wireshark to track the UDP:123 packets, and found that there is no mark ''fefa'' in the packets.

BTW, I set net.ipv4.tcp_fwmark_accept rather than net.ipv4.udp_fwmark_accept, because there is no net.ipv4.udp_fwmark_accept defined. I also tried to mark TCP packets, but still could not find the mark in those packets.

Could anybody help me solve the problem? I'm using Ubuntu 14.04 LTS.

Last edited by hebothu; 09-02-2015 at 06:35 PM.
Old 09-04-2015, 09:22 AM   #2
Senior Member
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,786

Rep: Reputation: 2215Reputation: 2215Reputation: 2215Reputation: 2215Reputation: 2215Reputation: 2215Reputation: 2215Reputation: 2215Reputation: 2215Reputation: 2215Reputation: 2215
The mark is not part of the actual packet, so you will never see it with Wireshark.
Quote from
"Note that the mark value is not set within the actual package, but is a value that is associated within the kernel with the packet. In other words, you can not set a MARK for a packet and then expect the MARK still to be there on another host. If this is what you want, you will be better off with the TOS target which will mangle the TOS value in the IP header."

Last edited by rknichols; 09-04-2015 at 09:29 AM. Reason: Add quote from iptables tutorial


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Mark Shuttleworth on Ubuntu releases: "the sky is not falling" LXer Syndicated Linux News 0 03-07-2013 09:50 PM
using --set-mark in iptables to drop packets -? vlyamtse Linux - Networking 1 07-18-2012 04:13 AM
"Quatation mark / comma key in the keyboard is not working properly...!" raheesc Linux - Desktop 3 05-12-2011 11:48 AM
What RPM Macro Corresponds to "Mark for Complete Removal" in Synaptic? Kaboosh Linux - Software 4 03-26-2011 06:16 PM
"Set Mark as read flag to NO" in Coureir or Migration to dovecot manijeee Linux - Server 0 10-14-2009 01:26 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:45 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration