LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-20-2005, 10:30 PM   #1
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
mark set on PREROUTING stays until POSTROUTING?


But I'm not talking about a forward. I'm talking about responses to incomming traffic.

If I stamp a mark on traffic that is comming to the host in PREROUTING, the response traffic will have that same mark visible in POSTROUTING? or OUTPUT? can I use it to route traffic?
 
Old 07-20-2005, 10:52 PM   #2
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092

Original Poster
Blog Entries: 1

Rep: Reputation: 90
Nope, it doesn't.
 
Old 07-25-2005, 09:41 PM   #3
damian24
LQ Newbie
 
Registered: Jul 2005
Posts: 1

Rep: Reputation: 0
Re: mark set on PREROUTING stays until POSTROUTING?

Quote:
Originally posted by eantoranz
But I'm not talking about a forward. I'm talking about responses to incomming traffic.

If I stamp a mark on traffic that is comming to the host in PREROUTING, the response traffic will have that same mark visible in POSTROUTING? or OUTPUT? can I use it to route traffic?
I had a similar problem and numerous websites alluded to using CONNMARK and MARK targets.

It didn't work too well, but a solution using conntrack....

part of my ip-up... note the fwmark rule

elif [ "$1" = "ppp1" ]; then
ip route add $5 dev $1 src $4 table pppone
ip route add default via $5 table pppone
ip route add $5 dev $1 src $4
ip rule add from $4 table pppone
ip rule add fwmark 2 table pppone
/sbin/ip route add default via $5 dev $1 metric 10
ddclient -daemon=0 -syslog -use=if -if=ppp1 -file=/etc/ddclient2.conf -
cache=/etc/ddclient2.cache >/dev/null 2>&1
iptablessetup $4
fi

part of your firewall rules (my iptablessetup)

/usr/sbin/iptables -A PREROUTING -t mangle -i eth2 -j MARK --set-mark 2 -m conntrack --ctorigdst $1

eth2 is your ethernet interface, $1 is you external ppp interface. The idea being that when a connection passes through nat the original destination is maintained in conntrack, I use that to mark the packet and then use ip rule to forward back to the correct output interface.

D

Last edited by damian24; 07-25-2005 at 09:46 PM.
 
Old 07-26-2005, 06:50 PM   #4
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092

Original Poster
Blog Entries: 1

Rep: Reputation: 90
That sounds quite logical.... and I have already tested working things with MARK.

Now the problem I'm facing is that the src address of the packets that are going out through interface X are carrying interface Y's address.... though I'm masquerading traffic through both interfaces. But It's not like an isolated crazy case. I'm dealing with two different internet connections that are present in the same subnet. Do you have an advice for this case?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Emacs's mark set key(ctrl+space) problem. ayiiq180 Linux - Software 1 06-15-2005 11:45 AM
Iptables postrouting question phatboyz Linux - Networking 8 01-31-2005 02:58 PM
POSTROUTING just stopped? ryedunn Linux - Networking 9 01-10-2005 10:49 PM
kmyfirewall & dynamic IP for POSTROUTING SNAT mpw Linux - Software 0 05-05-2004 08:12 AM
iptables POSTROUTING doesn't match local-process replies. bentz Linux - Networking 3 03-10-2004 07:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration