2

Can I mark a packet on the client's OUTPUT chain and add an iproute policy on the router to route them via a specific gateway? This what I tried to do, but it isn't working.

My client's mangle table dump:

Chain OUTPUT (policy ACCEPT 13884 packets, 2327K bytes)
 pkts bytes target     prot opt in     out     source               destination         
13917 2330K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK set 0x2

Chain POSTROUTING (policy ACCEPT 13889 packets, 2328K bytes)
 pkts bytes target     prot opt in     out     source               destination         
13889 2328K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2 LOG flags 0 level 4

iptables mangle table's INPUT chain dump on the router:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2 LOG flags 0 level 4
 2074  196K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   88 14890 ACCEPT     all  --  ethint *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

After some moments and sending test packets (pings from a client connected to the router via wifi, sent to a host outside the intranet), the LOG counter on the router remains equal to zero.

Questions

  • What's happened to my packets?
  • Where my packets lose their marks?
Improve this question
7
  • Please post the rules again with iptables -nvL …, as some conditions are omitted without -v. Also tell us exactly how you're sending packets. Commented Sep 21, 2013 at 23:21
  • @Gilles, there are rules that already generated by `iptables -vnL', and just a simple ping from a client (which connected via a wireless-accesspoint to the router) to the outside of the intranet. Commented Sep 21, 2013 at 23:25
  • Sorry about -v, my bad, I misread. Hmmm, are those ping packets from the inside supposed to be caught by the mangle chain on the router? I need to look it up. Commented Sep 21, 2013 at 23:34
  • @Gilles, i think marks are deleted before packet leaving the box. because there was the same result, after replacing the wifi-router by a cross-cat5-cable. Commented Sep 21, 2013 at 23:35
  • Oh, I just figured out what you're doing. No, this can't possibly work: marks aren't stored inside the packets, they're part of kernel data structures. You can't set a mark on one machine and see it on another machine. What are you trying to do? Commented Sep 21, 2013 at 23:39

1 Answer 1

Reset to default
2

A mark on a packet is a value stored in a kernel data structure. It follows the packet while the kernel is processing it. It is not part of the packet itself. It is not sent over the network. You cannot set a mark on one host and read it on another host.

What to do instead depends on what you're trying to achieve. If you can, do the filtering and the mangling on the same host. If you have to do the mangling on the router, you may be able to arrange for the application to include something in the packet that you can filter on.

Sometimes you won't be able to escape doing the filtering on the client (e.g. if it depends on external factors such as the user who sent the packet) and the mangling on the router (e.g. if you need to re-route packets to an address that the router doesn't route). In that case, there's a generic way to “mark” an IP packet: assign your client several IP addresses, mangle the packets on the client to use different outgoing IP addresses based on the conditions you're using for marking, and perform the additional mangling on the router based on the client's IP address.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.