* Re: mark feature not working as expected
2004-10-28 11:07 mark feature not working as expected Sudheer Divakaran
@ 2004-10-28 11:05 ` Victor Julien
2004-10-28 11:16 ` Sudheer Divakaran
2004-10-28 11:40 ` Sudheer Divakaran
2004-10-28 11:13 ` Sudheer Divakaran
1 sibling, 2 replies; 5+ messages in thread
From: Victor Julien @ 2004-10-28 11:05 UTC (permalink / raw)
To: netfilter
Hi Sudheer,
As far as i know you can only use --set-mark in the mangle table. You are
trying to use it in the nat table.
Try:
iptables -t mangle -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
Regards,
Victor
On Thursday 28 October 2004 13:07, Sudheer Divakaran wrote:
> Hi,
> I'm facing a problem with MARK target.
>
> My Linux box has 3 network cards
>
> eth0 - LAN1
> eth2 - LAN2
> eth3 - ISP
>
> My problem is that my Lan machines are not able to communicate with each
> other (i.e. LAN1 <-> LAN2). Firewall blocks them. But my lan clients
> have no problem in accessing internet!!.
>
> Here is my configuration.
>
>
> # eth0 - LAN1
> # eth2 - LAN2
> # eth3 - ISP
>
> iptables -F
> iptables -X
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> iptables -t nat -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1
> #THIS IS NOT WORKING
> iptables -t nat -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
> #THIS IS NOT WORKING
>
> #Other rules follows... Not listed here
>
> iptables -A FORWARD -m mark --mark 1 -j ACCEPT #THIS IS NOT WORKING
>
> #Other rules follows... Not listed here
>
>
> I know that I can do it directly from the FORWARD chain of filter table,
> but I'm using SQUID for transparent proxying for some machines (Those
> rules are not listed here), so I want to mark some packets. Could
> someone please help me on this?
>
>
> Thanks
> Sudheer
^ permalink raw reply [flat|nested] 5+ messages in thread
* mark feature not working as expected
@ 2004-10-28 11:07 Sudheer Divakaran
2004-10-28 11:05 ` Victor Julien
2004-10-28 11:13 ` Sudheer Divakaran
0 siblings, 2 replies; 5+ messages in thread
From: Sudheer Divakaran @ 2004-10-28 11:07 UTC (permalink / raw)
To: netfilter
Hi,
I'm facing a problem with MARK target.
My Linux box has 3 network cards
eth0 - LAN1
eth2 - LAN2
eth3 - ISP
My problem is that my Lan machines are not able to communicate with each
other (i.e. LAN1 <-> LAN2). Firewall blocks them. But my lan clients
have no problem in accessing internet!!.
Here is my configuration.
# eth0 - LAN1
# eth2 - LAN2
# eth3 - ISP
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1
#THIS IS NOT WORKING
iptables -t nat -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
#THIS IS NOT WORKING
#Other rules follows... Not listed here
iptables -A FORWARD -m mark --mark 1 -j ACCEPT #THIS IS NOT WORKING
#Other rules follows... Not listed here
I know that I can do it directly from the FORWARD chain of filter table,
but I'm using SQUID for transparent proxying for some machines (Those
rules are not listed here), so I want to mark some packets. Could
someone please help me on this?
Thanks
Sudheer
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: mark feature not working as expected
2004-10-28 11:07 mark feature not working as expected Sudheer Divakaran
2004-10-28 11:05 ` Victor Julien
@ 2004-10-28 11:13 ` Sudheer Divakaran
1 sibling, 0 replies; 5+ messages in thread
From: Sudheer Divakaran @ 2004-10-28 11:13 UTC (permalink / raw)
To: netfilter
Hi Everybody,
Sorry, When I composed the mail, I gave wrong network card info.
Actually the cards are eth0, eth1, eth2 respectively. Here is the
corrected email.
Thanks,
Sudheer
Sudheer Divakaran wrote:
> Hi,
> I'm facing a problem with MARK target.
> My Linux box has 3 network cards
>
> eth0 - LAN1
> eth1 - LAN2
> eth2 - ISP
>
> My problem is that my Lan machines are not able to communicate with
> each other (i.e. LAN1 <-> LAN2). Firewall blocks them. But my lan
> clients have no problem in accessing internet!!.
>
> Here is my configuration.
>
>
> # eth0 - LAN1
> # eth1 - LAN2
> # eth2 - ISP
>
> iptables -F
> iptables -X
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> iptables -t nat -A PREROUTING -i eth0 -o eth1 -j MARK --set-mark 1
> #THIS IS NOT WORKING
> iptables -t nat -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
> #THIS IS NOT WORKING
>
> #Other rules follows... Not listed here
>
> iptables -A FORWARD -m mark --mark 1 -j ACCEPT #THIS IS NOT WORKING
>
> #Other rules follows... Not listed here
>
>
> I know that I can do it directly from the FORWARD chain of filter
> table, but I'm using SQUID for transparent proxying for some machines
> (Those rules are not listed here), so I want to mark some packets.
> Could someone please help me on this?
>
>
> Thanks
> Sudheer
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: mark feature not working as expected
2004-10-28 11:05 ` Victor Julien
@ 2004-10-28 11:16 ` Sudheer Divakaran
2004-10-28 11:40 ` Sudheer Divakaran
1 sibling, 0 replies; 5+ messages in thread
From: Sudheer Divakaran @ 2004-10-28 11:16 UTC (permalink / raw)
To: Victor Julien; +Cc: netfilter
Hi Victor,
I'm really sorry. Yes. I was using 'mangle' table. Sorry for the
inconvenience.
Thanks
Sudheer
Victor Julien wrote:
> Hi Sudheer,
>
> As far as i know you can only use --set-mark in the mangle table. You are
> trying to use it in the nat table.
>
> Try:
> iptables -t mangle -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
>
> Regards,
> Victor
>
> On Thursday 28 October 2004 13:07, Sudheer Divakaran wrote:
>
>> Hi,
>> I'm facing a problem with MARK target.
>>
>> My Linux box has 3 network cards
>>
>> eth0 - LAN1
>> eth2 - LAN2
>> eth3 - ISP
>>
>> My problem is that my Lan machines are not able to communicate with each
>> other (i.e. LAN1 <-> LAN2). Firewall blocks them. But my lan clients
>> have no problem in accessing internet!!.
>>
>> Here is my configuration.
>>
>>
>> # eth0 - LAN1
>> # eth2 - LAN2
>> # eth3 - ISP
>>
>> iptables -F
>> iptables -X
>> iptables -P INPUT DROP
>> iptables -P OUTPUT DROP
>> iptables -P FORWARD DROP
>>
>> iptables -t mangle -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1
>> #THIS IS NOT WORKING
>> iptables -t mangle -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
>> #THIS IS NOT WORKING
>>
>> #Other rules follows... Not listed here
>>
>> iptables -A FORWARD -m mark --mark 1 -j ACCEPT #THIS IS NOT WORKING
>>
>> #Other rules follows... Not listed here
>>
>>
>> I know that I can do it directly from the FORWARD chain of filter table,
>> but I'm using SQUID for transparent proxying for some machines (Those
>> rules are not listed here), so I want to mark some packets. Could
>> someone please help me on this?
>>
>>
>> Thanks
>> Sudheer
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: mark feature not working as expected
2004-10-28 11:05 ` Victor Julien
2004-10-28 11:16 ` Sudheer Divakaran
@ 2004-10-28 11:40 ` Sudheer Divakaran
1 sibling, 0 replies; 5+ messages in thread
From: Sudheer Divakaran @ 2004-10-28 11:40 UTC (permalink / raw)
To: Victor Julien; +Cc: netfilter
Hi Victor, Everybody,
After committing too many errors while composing messages, I ran the
rules from the command line and the problem fixed. The problem was that
I shouldn't have used the output interface name in mangle's PREROUTING
chain. i.e., I should have used
iptables -t mangle -A PREROUTING -i eth0 -d 192.168.1.0/24 -j MARK
--set-mark 1
iptables -t mangle -A PREROUTING -i eth1 -d 192.168.0.0/24 -j MARK
--set-mark 1
I have been running these commands from a script and it didn't show the
error messages. That's why I have disturbed all of you.
Thanks & Regards
Sudheer
Victor Julien wrote:
> Hi Sudheer,
>
> As far as i know you can only use --set-mark in the mangle table. You are
> trying to use it in the nat table.
>
> Try:
> iptables -t mangle -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
>
> Regards,
> Victor
>
> On Thursday 28 October 2004 13:07, Sudheer Divakaran wrote:
>
>> Hi,
>> I'm facing a problem with MARK target.
>>
>> My Linux box has 3 network cards
>>
>> eth0 - LAN1
>> eth2 - LAN2
>> eth3 - ISP
>>
>> My problem is that my Lan machines are not able to communicate with each
>> other (i.e. LAN1 <-> LAN2). Firewall blocks them. But my lan clients
>> have no problem in accessing internet!!.
>>
>> Here is my configuration.
>>
>>
>> # eth0 - LAN1
>> # eth2 - LAN2
>> # eth3 - ISP
>>
>> iptables -F
>> iptables -X
>> iptables -P INPUT DROP
>> iptables -P OUTPUT DROP
>> iptables -P FORWARD DROP
>>
>> iptables -t nat -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1
>> #THIS IS NOT WORKING
>> iptables -t nat -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
>> #THIS IS NOT WORKING
>>
>> #Other rules follows... Not listed here
>>
>> iptables -A FORWARD -m mark --mark 1 -j ACCEPT #THIS IS NOT WORKING
>>
>> #Other rules follows... Not listed here
>>
>>
>> I know that I can do it directly from the FORWARD chain of filter table,
>> but I'm using SQUID for transparent proxying for some machines (Those
>> rules are not listed here), so I want to mark some packets. Could
>> someone please help me on this?
>>
>>
>> Thanks
>> Sudheer
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-10-28 11:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-10-28 11:07 mark feature not working as expected Sudheer Divakaran
2004-10-28 11:05 ` Victor Julien
2004-10-28 11:16 ` Sudheer Divakaran
2004-10-28 11:40 ` Sudheer Divakaran
2004-10-28 11:13 ` Sudheer Divakaran
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.