Applying iptables fw rules failed when using MARK target

nnes · 05-20-2011, 03:09 AM

Hi all.
I want to limit bandwidth by using tc and iptables flowing: http://lartc.org/howto/lartc.cookboo...nat.intro.html

When I mark packets using commands:
....
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
....

I try testing this system without iptables save, it works well.

Then, i save iptables, it's OK. But i restart iptables, it's failed.

Quote:

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: nat mangle [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 9 failed
[FAILED]

line 9 it contain COMMIT.
line 8 it contain:
-A PREROUTING -p tcp -j MARK --set-mark 0x1

i think there is the error in line 8. So, I delete line 8 in iptables file. Restart, it's OK, no error.
Of course, it can't mark packets and system can't run well.

What can i do to fix this error?

Thanks all.

Noway2 · 05-20-2011, 04:27 AM

If you would like help to troubleshoot this problem, would you please post your iptables configuration as well as the error message(s) that you are receiving? Also, please use the code tags, which are similar to the quote ones, when you post the listing. You mention line 20 in your post that seems to be a culprit, but I don't see anything in the how-to you reference that indicates what this line is.

nnes · 05-20-2011, 04:48 AM

I use commands:

Quote:

...
tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst 192.168.68.0/24 flowid 1:1
tc filter add dev eth0 parent 1: protocol ip prio 1 handle 9 fw flowid 1:1
...

iptables -t nat -A POSTROUTING -s 192.168.68.0/24 -o eth0 -j SNAT --to-source 192.168.5.32
iptables -t mangle -A PREROUTING -p tcp -j MARK --set-mark 0x9

...

My iptables configuration:

Quote:

# Generated by iptables-save v1.4.0 on Fri May 20 09:38:45 2011
*mangle
:PREROUTING ACCEPT [449:39586]
:INPUT ACCEPT [267:24250]
:FORWARD ACCEPT [3:234]
:OUTPUT ACCEPT [93:9734]
:POSTROUTING ACCEPT [96:9968]
[121:9364] -A PREROUTING -p tcp -j MARK --set-mark 0xffffffff00000009
COMMIT
# Completed on Fri May 20 09:38:45 2011
# Generated by iptables-save v1.4.0 on Fri May 20 09:38:45 2011
*nat
:PREROUTING ACCEPT [3478:297455]
:OUTPUT ACCEPT [3:213]
:POSTROUTING ACCEPT [0:0]
[36:2436] -A POSTROUTING -o eth0 -j MASQUERADE
[10:632] -A POSTROUTING -s 192.168.68.0/24 -o eth0 -p tcp -j SNAT --to-source 10.0.9.2:1024-2037
COMMIT
# Completed on Fri May 20 09:38:45 2011
# Generated by iptables-save v1.4.0 on Fri May 20 09:38:45 2011
*filter
:INPUT ACCEPT [25477:2154067]
:FORWARD ACCEPT [2710:455845]
:OUTPUT ACCEPT [18600:6343828]
COMMIT

I restart service iptables, it's error

Quote:

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 9 failed
[FAILED]

Line 9 it contain COMMIT.
I think error at line 8. I delete line 8, restart , it've no error. But it can't mark.

Thanks for helping.