From: Dennison Williams <dennison.williams@gmail.com>
To: netfilter@vger.kernel.org
Subject: MARK not working
Date: Thu, 01 Apr 2010 17:35:56 -0700 [thread overview]
Message-ID: <4BB53BEC.9010709@gmail.com> (raw)
Hello,
I am having a problem receiving marked packets from the mangle table in
my filter table. I have:
iptables -t mangle -A PREROUTING -i eth1 -p udp --dport 4500 -j MARK
--set-mark 1
iptables -t filter -A INPUT -m mark --mark 1 -j LOG --log-prefix ipsec_nat_t
iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
iptables -t filter -A INPUT -j LOG
iptables -t filter -A INPUT -j REJECT
I see that the packets are correctly getting marked in the mangle table,
but then it bypasses the log and accept rules eventually getting logged
and rejected. I have trimmed the ruleset down a fair amount to try and
find the problem but I can't seem to get to the cause. While I have
seen a fair amount of this subject on the mailing list I have not found
anything that seems relevant to this issue.
All feedback is appreciated. More details below.
Sincerely,
DennisonWilliams
Kernel: 2.6.26-2-486
Distro: Debian 5.0.4
Iptables version: v1.4.2
iptables-save output:
# Generated by iptables-save v1.4.2 on Thu Apr 1 17:27:16 2010
*nat
:PREROUTING ACCEPT [67:12256]
:POSTROUTING ACCEPT [106:6673]
:OUTPUT ACCEPT [106:6673]
-A POSTROUTING -s 10.66.6.0/24 -d ! 10.66.7.0/24 -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu Apr 1 17:27:16 2010
# Generated by iptables-save v1.4.2 on Thu Apr 1 17:27:16 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [617:152871]
:OUTPUT ACCEPT [1282:293981]
:Accounting - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p esp -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -m mark --mark 0x1 -j LOG --log-prefix "ipsec_nat_t"
-A INPUT -m mark --mark 0x1 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 1 17:27:16 2010
# Generated by iptables-save v1.4.2 on Thu Apr 1 17:27:16 2010
*mangle
:PREROUTING ACCEPT [2504:776880]
:INPUT ACCEPT [1548:605475]
:FORWARD ACCEPT [956:171405]
:OUTPUT ACCEPT [1285:295001]
:POSTROUTING ACCEPT [2241:466406]
-A PREROUTING -i eth1 -p udp -m udp --dport 4500 -j MARK --set-xmark
0x1/0xffffffff
COMMIT
# Completed on Thu Apr 1 17:27:16 2010
next reply other threads:[~2010-04-02 0:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-02 0:35 Dennison Williams [this message]
2010-04-02 4:57 ` MARK not working Marek Kierdelewicz
2010-04-02 7:27 ` Dennison Williams
2010-04-02 9:16 ` Marek Kierdelewicz
2010-04-02 11:30 ` Jan Engelhardt
[not found] ` <006a01cad270$b1876110$14962330$@toure@vipnet.ci>
2010-04-02 14:37 ` setting quotas with quota Jan Engelhardt
2010-04-02 20:35 ` MARK not working Dennison Williams
2010-04-02 11:26 ` Jan Engelhardt
2010-04-02 13:02 ` Marek Kierdelewicz
2010-04-02 7:24 ` John Lister
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BB53BEC.9010709@gmail.com \
--to=dennison.williams@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).