mark feature not working as expected

mark feature not working as expected

[Sudheer Divakaran]

Hi,
    I'm facing a problem with MARK target. 

My Linux box has 3 network cards

    eth0 - LAN1
    eth2 - LAN2
    eth3 - ISP

My problem is that my Lan machines are not able to communicate with each 
other  (i.e. LAN1 <-> LAN2).  Firewall blocks them.  But my lan clients 
have no problem in accessing internet!!.

Here is my configuration.


# eth0 - LAN1
# eth2 - LAN2
# eth3 - ISP
 
iptables -F
iptables -X
iptables -P INPUT   DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP

iptables -t nat -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1  
#THIS IS NOT WORKING
iptables -t nat -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1  
#THIS IS NOT WORKING

#Other rules follows... Not listed here
 
iptables -A FORWARD -m mark --mark 1 -j ACCEPT   #THIS IS NOT WORKING

#Other rules follows... Not listed here


I know that I can do it directly from the FORWARD chain of filter table, 
but I'm using SQUID for transparent proxying for some machines (Those 
rules are not listed here), so I want to mark some packets. Could 
someone please help me on this?


Thanks
Sudheer
   

Re: mark feature not working as expected

[Victor Julien]

Hi Sudheer,

As far as i know you can only use --set-mark in the mangle table. You are 
trying to use it in the nat table.

Try:
iptables -t mangle -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1

Regards,
Victor

On Thursday 28 October 2004 13:07, Sudheer Divakaran wrote:
> Hi,
>     I'm facing a problem with MARK target.
>
> My Linux box has 3 network cards
>
>     eth0 - LAN1
>     eth2 - LAN2
>     eth3 - ISP
>
> My problem is that my Lan machines are not able to communicate with each
> other  (i.e. LAN1 <-> LAN2).  Firewall blocks them.  But my lan clients
> have no problem in accessing internet!!.
>
> Here is my configuration.
>
>
> # eth0 - LAN1
> # eth2 - LAN2
> # eth3 - ISP
>
> iptables -F
> iptables -X
> iptables -P INPUT   DROP
> iptables -P OUTPUT  DROP
> iptables -P FORWARD DROP
>
> iptables -t nat -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1
> #THIS IS NOT WORKING
> iptables -t nat -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
> #THIS IS NOT WORKING
>
> #Other rules follows... Not listed here
>
> iptables -A FORWARD -m mark --mark 1 -j ACCEPT   #THIS IS NOT WORKING
>
> #Other rules follows... Not listed here
>
>
> I know that I can do it directly from the FORWARD chain of filter table,
> but I'm using SQUID for transparent proxying for some machines (Those
> rules are not listed here), so I want to mark some packets. Could
> someone please help me on this?
>
>
> Thanks
> Sudheer

Re: mark feature not working as expected

[Sudheer Divakaran]

Hi Victor,
    I'm really sorry.  Yes. I was using 'mangle' table.  Sorry for the 
inconvenience.

Thanks
Sudheer



Victor Julien wrote:

> Hi Sudheer,
>
> As far as i know you can only use --set-mark in the mangle table. You are
> trying to use it in the nat table.
>
> Try:
> iptables -t mangle -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
>
> Regards,
> Victor
>
> On Thursday 28 October 2004 13:07, Sudheer Divakaran wrote:
>
>> Hi,
>> I'm facing a problem with MARK target.
>>
>> My Linux box has 3 network cards
>>
>> eth0 - LAN1
>> eth2 - LAN2
>> eth3 - ISP
>>
>> My problem is that my Lan machines are not able to communicate with each
>> other (i.e. LAN1 <-> LAN2). Firewall blocks them. But my lan clients
>> have no problem in accessing internet!!.
>>
>> Here is my configuration.
>>
>>
>> # eth0 - LAN1
>> # eth2 - LAN2
>> # eth3 - ISP
>>
>> iptables -F
>> iptables -X
>> iptables -P INPUT DROP
>> iptables -P OUTPUT DROP
>> iptables -P FORWARD DROP
>>
>> iptables -t mangle -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1
>> #THIS IS NOT WORKING
>> iptables -t mangle -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
>> #THIS IS NOT WORKING
>>
>> #Other rules follows... Not listed here
>>
>> iptables -A FORWARD -m mark --mark 1 -j ACCEPT #THIS IS NOT WORKING
>>
>> #Other rules follows... Not listed here
>>
>>
>> I know that I can do it directly from the FORWARD chain of filter table,
>> but I'm using SQUID for transparent proxying for some machines (Those
>> rules are not listed here), so I want to mark some packets. Could
>> someone please help me on this?
>>
>>
>> Thanks
>> Sudheer
>
>

Re: mark feature not working as expected

[Sudheer Divakaran]

Hi Victor,  Everybody,

After committing too many errors while composing messages, I ran the 
rules from the command line and the problem fixed.  The problem was that 
I shouldn't have used the output interface name in mangle's PREROUTING 
chain.  i.e., I should have used


iptables -t mangle -A PREROUTING -i eth0 -d 192.168.1.0/24 -j MARK 
--set-mark 1
iptables -t mangle -A PREROUTING -i eth1 -d 192.168.0.0/24 -j MARK 
--set-mark 1


I have been running these commands from a script and it didn't show the 
error messages.  That's why I have disturbed all of you.

Thanks & Regards
Sudheer










Victor Julien wrote:

> Hi Sudheer,
>
> As far as i know you can only use --set-mark in the mangle table. You are
> trying to use it in the nat table.
>
> Try:
> iptables -t mangle -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
>
> Regards,
> Victor
>
> On Thursday 28 October 2004 13:07, Sudheer Divakaran wrote:
>
>> Hi,
>> I'm facing a problem with MARK target.
>>
>> My Linux box has 3 network cards
>>
>> eth0 - LAN1
>> eth2 - LAN2
>> eth3 - ISP
>>
>> My problem is that my Lan machines are not able to communicate with each
>> other (i.e. LAN1 <-> LAN2). Firewall blocks them. But my lan clients
>> have no problem in accessing internet!!.
>>
>> Here is my configuration.
>>
>>
>> # eth0 - LAN1
>> # eth2 - LAN2
>> # eth3 - ISP
>>
>> iptables -F
>> iptables -X
>> iptables -P INPUT DROP
>> iptables -P OUTPUT DROP
>> iptables -P FORWARD DROP
>>
>> iptables -t nat -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1
>> #THIS IS NOT WORKING
>> iptables -t nat -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
>> #THIS IS NOT WORKING
>>
>> #Other rules follows... Not listed here
>>
>> iptables -A FORWARD -m mark --mark 1 -j ACCEPT #THIS IS NOT WORKING
>>
>> #Other rules follows... Not listed here
>>
>>
>> I know that I can do it directly from the FORWARD chain of filter table,
>> but I'm using SQUID for transparent proxying for some machines (Those
>> rules are not listed here), so I want to mark some packets. Could
>> someone please help me on this?
>>
>>
>> Thanks
>> Sudheer
>
>

Re: mark feature not working as expected

[Sudheer Divakaran]

Hi Everybody,
    Sorry, When I composed the mail, I gave wrong network card info. 
Actually the cards are eth0, eth1, eth2 respectively. Here is the 
corrected email.

Thanks,
Sudheer

   



Sudheer Divakaran wrote:

> Hi,
>    I'm facing a problem with MARK target.
> My Linux box has 3 network cards
>
>    eth0 - LAN1
>    eth1 - LAN2
>    eth2 - ISP
>
> My problem is that my Lan machines are not able to communicate with 
> each other  (i.e. LAN1 <-> LAN2).  Firewall blocks them.  But my lan 
> clients have no problem in accessing internet!!.
>
> Here is my configuration.
>
>
> # eth0 - LAN1
> # eth1 - LAN2
> # eth2 - ISP
>
> iptables -F
> iptables -X
> iptables -P INPUT   DROP
> iptables -P OUTPUT  DROP
> iptables -P FORWARD DROP
>
> iptables -t nat -A PREROUTING -i eth0 -o eth1 -j MARK --set-mark 1  
> #THIS IS NOT WORKING
> iptables -t nat -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1  
> #THIS IS NOT WORKING
>
> #Other rules follows... Not listed here
>
> iptables -A FORWARD -m mark --mark 1 -j ACCEPT   #THIS IS NOT WORKING
>
> #Other rules follows... Not listed here
>
>
> I know that I can do it directly from the FORWARD chain of filter 
> table, but I'm using SQUID for transparent proxying for some machines 
> (Those rules are not listed here), so I want to mark some packets. 
> Could someone please help me on this?
>
>
> Thanks
> Sudheer
>  
>