Re: ip route fwmark with iptables -set--mark

To: kaiwen <cal_kaiwen@hotmail.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: ip route fwmark with iptables -set--mark
From: Jean Christophe ANDRÉ <jean-christophe.andre@auf.org>
Date: Thu, 4 Dec 2003 19:45:21 +0700
Message-id: <[🔎] 20031204124519.GE16843@virus.home>
In-reply-to: <[🔎] Law11-OE68msQSktLxH00002286@hotmail.com>
References: <[🔎] Law11-OE68msQSktLxH00002286@hotmail.com>

Le jeudi 04 décembre 2003 à 18h27 (+0800), kaiwen écrivait :
>    Routing Table:
>    [root@son-ag webauth]# ip route show table main
>    192.168.250.0/24 dev eth0  scope link
>    127.0.0.0/8 dev lo  scope link
>    default via 192.168.250.254 dev eth0

Do you realy want to not have a route for network 192.168.8.0/24(eth1)?

>    [root@son-ag webauth]# ip route show table test
>    192.168.8.0/24 dev br0  scope link
>    default via 192.168.250.254 dev eth0

Do you realy want to not have a route for network 192.168.250.0/24(eth0)?

Also, take care of using bridge (br0) since iptables doesn't apply on it
without a kernel patch AFAIK.

>    32765:  from all fwmark        d lookup test

Ok.

>    [root@son-ag webauth]# iptables -t mangle -L
>    Chain PREROUTING (policy ACCEPT)
>    target     prot opt source               destination
>    MARK       all  --  anywhere             anywhere           MARK set 0x13

Take care that "anywere to anywere" means it applies for the return of
replies (ICMP echo-reply) to request (ICMP echo-request) too...

>    Ping from Client 192.168.8.134 to Router eth1 192.168.8.88, Ping FAILED.
>    I think I am missing something in the configuration.
>    I tried setting
>    > ip rule add from 192.168.8.0/24 table test
>    Ping is SUCCESS in this case.

Probably because it uses table test for the ICMP echo-request, but
not for the ICMP echo-reply coming back... So you may need to be more
precise on your iptable mangle rule by specifying source addresses.

Also, "tcpdump" is your friend to look for problem symptoms.
(use something like "tcpdump -lni any icmp")

Regards,
-- 
J.C. "プログフ" ANDRÉ <jean-christophe.andre@auf.org> http://www.vn.refer.org/
Coordonnateur technique régional / Associé technologie projet Reflets (CODA)
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam
Tél. : +84 4 9331108   Fax : +84 4 8247383   Mobile : +84 91 3248747
⎧ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint   ⎫
⎩ ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html ⎭

Reply to:

References:
- ip route fwmark with iptables -set--mark
  - From: "kaiwen" <cal_kaiwen@hotmail.com>

Prev by Date: ip route fwmark with iptables -set--mark
Next by Date: ABC Firewall
Previous by thread: ip route fwmark with iptables -set--mark
Next by thread: ABC Firewall
Index(es):
- Date
- Thread