Hey Victor! > > I recently got a second internet line where I wanted to route certain > > connections to. So I decided to add a MARK to the connection in question: [...] > > Then I added a rule to actually use a different routing table for packets > > marked with 0x2: > > | ip rule add fwmark 2 table otherisp [...] > > Any idea what I am doing wrong here? (vuurmuur is v0.7) > > I think marks are being set in the FORWARD chain of the mangle table. As > you're routing, it should maybe be set in the PREROUTING chain. Not 100% > though, so maybe you can manually test with some rules? > > s/FORWARD/PREROUTING/g on the --set-mark rules should be enough to try. You are my hero! ;-)
This works perfectly fine... | vuurmuur -b | grep "\-\-set\-mark" | sed "s/FORWARD/PREROUTING/g" | xargs ...with one exception: obviously all rules that have outgoing interfaces attached won't work; in my case there are several rules generated from that single rule: (eth: lan, eth1/eth2: inet; ips written as lan/24 and inet) | /sbin/iptables -t mangle -A PREROUTING -i eth0 -o eth1 -s lan/24 -d inet | -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 2 | /sbin/iptables -t mangle -A PREROUTING -i eth1 -o eth0 -s inet -d lan/24 | -m state --state RELATED,ESTABLISHED -j MARK --set-mark 2 Those cannot be loaded as PREROUTING cannot deal with -o | /sbin/iptables -t mangle -A PREROUTING -i eth0 -s lan/24 -d inet | -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 2 This one rule simply does the trick! | /sbin/iptables -t mangle -A PREROUTING -o eth0 -s inet -d lan/24 | -m state --state RELATED,ESTABLISHED -j MARK --set-mark 2 This rule doesn't work due to -o | /sbin/iptables -t mangle -A PREROUTING -i eth0 -o eth2 -s lan/24 -d inet | -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 2 | /sbin/iptables -t mangle -A PREROUTING -i eth2 -o eth0 -s inet -d lan/24 | -m state --state RELATED,ESTABLISHED -j MARK --set-mark 2 Those do not work too (-o) Ok, so do you think a patch to add that feature could make it into 0.8? :-) And for the time being I'll just load that single rule manually... ...oh, and I need rules for all non-marked connections before to avoid them being routed through the same gateway. ;-) Thank you very much, Victor! -- Adi ------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d _______________________________________________ Vuurmuur-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
