1

I use a set of iptables rules that makes use of the mangle table, which contains the rows below, on two different versions of iptables v1.3.8, and v1.4.7.

Iptables v1.3.8 runs on Fedora release 8 kernel 2.6.23.1-42.fc8 Iptables v1.4.7 runs on Scientific Linux (a RHEL clone) 6.10 kernel 2.6.32-573.1

Both PCs are configured in the same way, but in the older version of iptables v1.3.8 the configuration is working, it is not in v1.4.7

The rules are :

iptables -A PREROUTING -t mangle -s 10.200.0.0/16 ! -d 192.168.0.0/16 -j MARK --set-mark 0x1
iptables -A PREROUTING -t mangle -s 192.168.0.0/16 ! -d 192.168.0.0/16 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j CONNMARK --save-mark
iptables -t mangle -I OUTPUT -m connmark ! --mark 0 -j CONNMARK --restore-mark
iptables -A OUTPUT -t mangle -s 172.16.62.100 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -s 172.16.61.2   -j MARK --set-mark 2
iptables -A OUTPUT -t mangle -s 172.16.61.3   -j MARK --set-mark 2
iptables -A OUTPUT -t mangle -s 172.16.61.4   -j MARK --set-mark 2
iptables -A OUTPUT -t mangle -s 172.16.61.5   -j MARK --set-mark 2
iptables -A OUTPUT -t mangle -s 172.16.61.6   -j MARK --set-mark 2
iptables -A OUTPUT -t mangle -s 172.16.61.7   -j MARK --set-mark 2

The /etc/sysconfig/iptables file present in the version v1.3.8 contains the following lines :

*mangle
-A PREROUTING -s 10.200.0.0/255.255.0.0 -d ! 192.168.0.0/255.255.0.0 -j MARK --set-mark 0x1 
-A PREROUTING -s 192.168.0.0/255.255.0.0 -d ! 192.168.0.0/255.255.0.0 -j MARK --set-mark 0x2 
-A PREROUTING -m mark ! --mark 0x0 -j CONNMARK --save-mark 
-A OUTPUT -m connmark ! --mark 0x0 -j CONNMARK --restore-mark 
-A OUTPUT -s 172.16.62.100 -j MARK --set-mark 0x1 
-A OUTPUT -s 172.16.61.2 -j MARK --set-mark 0x2 
-A OUTPUT -s 172.16.61.3 -j MARK --set-mark 0x2 
-A OUTPUT -s 172.16.61.4 -j MARK --set-mark 0x2 
-A OUTPUT -s 172.16.61.5 -j MARK --set-mark 0x2 
-A OUTPUT -s 172.16.61.6 -j MARK --set-mark 0x2 
-A OUTPUT -s 172.16.61.7 -j MARK --set-mark 0x2 
COMMIT

The /etc/sysconfig/iptables file present in the version v1.4.7 contains the following lines :

*mangle
-A PREROUTING -s 10.200.0.0/255.255.0.0 ! -d 192.168.0.0/255.255.0.0 -j MARK --set-xmark 0x1/0xffffffff 
-A PREROUTING -s 192.168.0.0/255.255.0.0 ! -d 192.168.0.0/255.255.0.0 -j MARK --set-xmark 0x2/0xffffffff 
-A PREROUTING -m mark ! --mark 0x0 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff 
-A OUTPUT -m connmark ! --mark 0x0 -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff 
-A OUTPUT -s 172.16.62.100 -j MARK --set-xmark 0x1/0xffffffff 
-A OUTPUT -s 172.16.61.2 -j MARK --set-xmark 0x2/0xffffffff 
-A OUTPUT -s 172.16.61.3 -j MARK --set-xmark 0x2/0xffffffff 
-A OUTPUT -s 172.16.61.4 -j MARK --set-xmark 0x2/0xffffffff 
-A OUTPUT -s 172.16.61.5 -j MARK --set-xmark 0x2/0xffffffff 
-A OUTPUT -s 172.16.61.6 -j MARK --set-xmark 0x2/0xffffffff 
-A OUTPUT -s 172.16.61.7 -j MARK --set-xmark 0x2/0xffffffff 
COMMIT

In the new version the set-marks have become set-xmark and nfmask and ctmask are also present.

Why don't the same rules work in the new version ?

Update :

The problem was not on the iptables but on /etc/sysctl.conf :

I have set the following parameters and now it works :

net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
Improve this question
0

1 Answer 1

Reset to default
1

The main change between your two systems isn't iptables but the kernel. The older kernel is from 2007.

One notable change that affects routing (which isn't provided by OP in this question but is in OP's other question) when used with marks is src_valid_mark:

net: restore ip source validation

when using policy routing and the skb mark: there are cases where a back path validation requires us to use a different routing table for src ip validation than the one used for mapping ingress dst ip. One such a case is transparent proxying where we pretend to be the destination system and therefore the local table is used for incoming packets but possibly a main table would be used on outbound. Make the default behavior to allow the above and if users need to turn on the symmetry via sysctl src_valid_mark

Before this patch (Fedora 8) the behavior with Strict Reverse Path Forwarding (handled by rp_filter): assuming symmetric routing, is different than after (SL 6): assuming asymmetric routing for some very special setups where replies are sent one way or an other through a different route.

This ~ 11 years old patch has only been documented along kernel 5.12 this year in 2021:

src_valid_mark - BOOLEAN

  • 0 - The fwmark of the packet is not included in reverse path route lookup. This allows for asymmetric routing configurations utilizing the fwmark in only one direction, e.g., transparent proxying.

  • 1 - The fwmark of the packet is included in reverse path route lookup. This permits rp_filter to function when the fwmark is used for routing traffic in both directions.

This setting also affects the utilization of fmwark when performing source address selection for ICMP replies, or determining addresses stored for the IPOPT_TS_TSANDADDR and IPOPT_RR IP options.

The max value from conf/{all,interface}/src_valid_mark is used.

Default value is 0.

So what has to be done to have a symmetrical routing working with marks while keeping Strict Reverse Path Forwarding settings (rp_filter=1) is:

sysctl -w net.ipv4.conf.all.src_valid_mark=1

or add the equivalent in /etc/sysctl.conf:

net.ipv4.conf.all.src_valid_mark = 1

since the highest value among all and any interface value is taken.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.