On 03/27/2013 04:54 PM, Adi Kriegisch wrote: > Hey Victor! > >>> I recently got a second internet line where I wanted to route certain >>> connections to. So I decided to add a MARK to the connection in question: > [...] >>> Then I added a rule to actually use a different routing table for packets >>> marked with 0x2: >>> | ip rule add fwmark 2 table otherisp > [...] >>> Any idea what I am doing wrong here? (vuurmuur is v0.7) >> >> I think marks are being set in the FORWARD chain of the mangle table. As >> you're routing, it should maybe be set in the PREROUTING chain. Not 100% >> though, so maybe you can manually test with some rules? >> >> s/FORWARD/PREROUTING/g on the --set-mark rules should be enough to try. > You are my hero! ;-) > > This works perfectly fine... > | vuurmuur -b | grep "\-\-set\-mark" | sed "s/FORWARD/PREROUTING/g" | xargs > ...with one exception: obviously all rules that have outgoing interfaces > attached won't work; in my case there are several rules generated from that > single rule: (eth: lan, eth1/eth2: inet; ips written as lan/24 and inet) > > | /sbin/iptables -t mangle -A PREROUTING -i eth0 -o eth1 -s lan/24 -d inet > | -m state --state NEW,RELATED,ESTABLISHED -j MARK > --set-mark 2 > | /sbin/iptables -t mangle -A PREROUTING -i eth1 -o eth0 -s inet -d lan/24 > | -m state --state RELATED,ESTABLISHED -j MARK --set-mark 2 > Those cannot be loaded as PREROUTING cannot deal with -o
Right. That is interesting, will have to remove the -o in that case. > | /sbin/iptables -t mangle -A PREROUTING -i eth0 -s lan/24 -d inet > | -m state --state NEW,RELATED,ESTABLISHED -j MARK > --set-mark 2 > This one rule simply does the trick! > > | /sbin/iptables -t mangle -A PREROUTING -o eth0 -s inet -d lan/24 > | -m state --state RELATED,ESTABLISHED -j MARK --set-mark 2 > This rule doesn't work due to -o > > | /sbin/iptables -t mangle -A PREROUTING -i eth0 -o eth2 -s lan/24 -d inet > | -m state --state NEW,RELATED,ESTABLISHED -j MARK > --set-mark 2 > | /sbin/iptables -t mangle -A PREROUTING -i eth2 -o eth0 -s inet -d lan/24 > | -m state --state RELATED,ESTABLISHED -j MARK --set-mark 2 > Those do not work too (-o) Also, locally generated traffic (on the fw itself) can't use PREROUTING I think, there it should just be OUTPUT if i read the netfilter diagram correctly. > Ok, so do you think a patch to add that feature could make it into 0.8? :-) Sure, please open a ticket. > And for the time being I'll just load that single rule manually... > ...oh, and I need rules for all non-marked connections before to avoid them > being routed through the same gateway. ;-) Hmm not sure I understand this, the ip rule with fwmark 2 should make sure only marked traffic is affected, right? Cheers, Victor ------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d _______________________________________________ Vuurmuur-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
