Re: Help with packet marking

[John Lister <john.lister@kickstone.co.uk>]

On 29/03/2012 15:55, Humberto Jucá wrote:
> 2012/3/29 John Lister<john.lister@kickstone.co.uk>:
>> It seems to be selecting the correct route using the marks as iptables
>> reports the correct interface in the log files.
>> However the packet then goes out of a different interface.
> Show us all firewall and routing rules (at least the main)...
>     iptables -t mangle -nL -v
>     ip rule ls
I'm out of the office at the minute but will extract them later today.
>> This has always worked before, the default route is in the main table (maybe
>> not clear before) and is used so that
>> the box can route local packets out. Your example (below) would do the same
>> except skip the fwmark rules
> Not exactly. In my example, to skip the fwmark process the destination
> address must be known by the main table. And you dont need to treat
> your essential routes in alternative tables (only default gw). For
> this reason,  you couldnt use a default gw in main table (*my
> example*).
Ok, misread that and still had a default in main in my head. Makes sense now
> But, i still not sure why your setup has stopped working.
Neither do I? The only thing I can think of is a new kernel 
inadvertently installed by a colleague but without doing a reboot. As it 
all worked fine until it was rebooted (to physically move it). Also, 
oddly before I left last night, it was occasionally connecting  when 
doing some tests
>
>> Yes, sorry when doing the example missed off the -m state --state NEW bit...
>> I still find it strange that recently packets I'd expect to be in the NEW
>> state are ESTABLISHED. eg doing
>> ping blah
>> ping blah
>> results in the first outgoing packet being NEW, but the second ping is
>> ESTABLISHED, surely this is a bug?
> Why you need to work with connection STATEs in firewall MARKs?
I guess I don't need to, I wanted to only mark new connections and the 
use save-mark and restore-mark to mark further packets. The plan is that 
each new connection is marked using the statisic module and routed based 
on the mark.

It still seems like a bug that subsequent independent connections are 
labelled as ESTABLISHED?
> Tell me more about your configuration.
> I can check your firewall confs if you open your ssh access for me
> (send me account in pvt - if you like).
I may well do if I can't sort it quickly

-- 
www.pricegoblin.co.uk