Re: MARKing question

[Jason Opperisano <opie@817west.com>]

On Mon, Jan 31, 2005 at 03:29:32PM +0500, Askar wrote:
> hi list, 
> 
> I'm MARKing packets in PREROUTING of mangle with the below rule to
> route them from other route then the default route .(iproute2 +
> iptables)
> 
> $iptables -A PREROUTING -i eth0 -t mangle -s 202.xxx.xxx.0/24 -d 0/0
> -p tcp --dport 80 -j MARK --set-mark 4
> 
> What I want is to exclude a single IP from the above to be MARKed, i-e
> the particular IP packets goes through default route of the firewall
> machine not through iproute2 route.
> 
> Is this possible with iptables or I have to apply pom (extentions) to
> accomplished this?

two thoughts:  1) ACCEPT the packet from the "excluded IP" prior to the
mark rule or 2) reset the MARK on packets from the "excluded IP" after
the mark rule.

version 1:

  iptables -t mangle -A PREROUTING -i eth0 -p tcp -s $EXCLUDED_IP \
    --dport 80 -j ACCEPT

  iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 202.xxx.xxx.0/24 \
    --dport 80 -j MARK --set-mark 4

version 2:

  iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 202.xxx.xxx.0/24 \
    --dport 80 -j MARK --set-mark 4

  iptables -t mangle -A PREROUTING -i eth0 -p tcp -s $EXCLUDED_IP \
    --dport 80 -j MARK --set-mark 0

version 1 gets packets from $EXCLUDED_IP out of the mangle PREROUTING
chain as quickly as possible.

version 2 allows packets from $EXCLUDED_IP to continue to traverse
mangle PREROUTING in case you want to do other stuff to it.

which one is "better" would depend on your specific situation.

-j

--
"I saw this in a movie about a bus that had to SPEED around a city,
 keeping its SPEED over fifty, and if its SPEED dropped, it would
 explode. I think it was called, 'The Bus That Couldn't Slow Down.'"
        --The Simpsons