From: Thomas Jacob <jacob@internet24.de>
To: "Javier Gálvez Guerrero" <javier.galvez.guerrero@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: still can't route using fwmark
Date: Mon, 20 Apr 2009 20:59:19 +0200 [thread overview]
Message-ID: <20090420185918.GA1158@internet24.de> (raw)
In-Reply-To: <145d4e1a0904200815q3176c9e2m2dfef314b205f348@mail.gmail.com>
On Mon, Apr 20, 2009 at 05:15:21PM +0200, Javier Gálvez Guerrero wrote:
> $ sudo iptables -L -t mangle
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> CONNMARK tcp -- anywhere anywhere state NEW
> tcp spt:rtsp CONNMARK set 0x1
If you are forwarding packets via this host you need the CONNMARK restore
here as well, then you can also drop the CONNMARK restore from the INPUT chain,
PREROUTING is also traversed for packets destined for the local host.
> With this environment I get the same results. I send the first TCP
> packet (SYN, dport 8554) through the interface ra1 (OK) with the IP
> bound to this interface (SNAT OK) and I get the (SYN,ACK) to the same
> IP and through the same interface (OK!), but my application does not
> send the final acknowledgement to the TCP connection establishment
> (ACK), so the RTSP messages are not sent and the client retries over
> and over again the TCP session establishment.
Your application does not send the ACK in the 3 way handshake, the
client kernel does. Somehow it doesn't receive the SYN,ACK or
the ACK does not reach the point where you're tcpdumping packets.
Try to sniff as close to your client app as possible. Could be
a NAT issue. Or maybe rp_filter or something else is breaking
it for you, you could try to enable /proc/sys/net/ipv4/conf/*/log_martians
to see any issues.
> messing up old connections with other videos. I can't understand how
> this can be so difficult to configure. I must be missing something in
> my rules...
Find another general purpose OS where you can do this AT ALL without additional
products. Then we'll talk about what is difficult or not ;=)
next prev parent reply other threads:[~2009-04-20 18:59 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-18 4:40 still can't route using fwmark Lloyd Standish
2009-04-18 8:23 ` Thomas Jacob
2009-04-18 17:12 ` Lloyd Standish
2009-04-18 18:48 ` Thomas Jacob
2009-04-18 19:33 ` Lloyd Standish
2009-04-18 20:58 ` Thomas Jacob
2009-04-18 21:49 ` Lloyd Standish
2009-04-19 9:00 ` Thomas Jacob
2009-04-20 5:56 ` Lloyd Standish
2009-04-20 8:48 ` Javier Gálvez Guerrero
2009-04-20 11:44 ` Thomas Jacob
2009-04-20 13:08 ` Javier Gálvez Guerrero
2009-04-20 13:37 ` Thomas Jacob
2009-04-20 15:15 ` Javier Gálvez Guerrero
2009-04-20 18:59 ` Thomas Jacob [this message]
2009-04-22 9:53 ` Javier Gálvez Guerrero
2009-04-22 10:01 ` Thomas Jacob
2009-04-20 11:09 ` Thomas Jacob
2009-04-20 12:25 ` Brian Austin - Standard Universal
2009-04-20 15:38 ` Lloyd Standish
2009-04-20 19:26 ` Thomas Jacob
2009-04-21 19:54 ` Lloyd Standish
2009-04-22 9:35 ` Thomas Jacob
2009-04-22 15:03 ` Lloyd Standish
2009-04-18 23:14 ` Lloyd Standish
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090420185918.GA1158@internet24.de \
--to=jacob@internet24.de \
--cc=javier.galvez.guerrero@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox