* IPTABLES + PREROUTING + --set-mark + Ubuntu
@ 2015-01-15 22:34 The Media Server
2015-01-16 0:59 ` U.Mutlu
2015-01-16 9:16 ` Pascal Hambourg
0 siblings, 2 replies; 22+ messages in thread
From: The Media Server @ 2015-01-15 22:34 UTC (permalink / raw)
To: netfilter
Hi I can't get my PREROUTING iptables rule to mark my packets via
--set-mark on Ubuntu
iptables -t mangle -A PREROUTING -p tcp --sport 80 -j MARK --set-mark 2
rule add fwmark 2 table 2
iptables -t mangle -A PREROUTING -j MARK --set-mark 2
iptables -t mangle -A INPUT -j MARK --set-mark 2
iptables -t nat -A INPUT -j MARK --set-mark 2
iptables -t nat -A PREROUTING -j MARK --set-mark 2
None of the above pass trough the table2
but this does pass trough the table 2 with this rule:
ip rule add from 192.168.2.0/24 table 2
----
Is there a problem marking packets in Ubuntu 14.04.1 LTS and iptables v1.4.21?
Thks!
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
2015-01-15 22:34 The Media Server
@ 2015-01-16 0:59 ` U.Mutlu
2015-01-16 1:03 ` U.Mutlu
2015-01-16 9:16 ` Pascal Hambourg
1 sibling, 1 reply; 22+ messages in thread
From: U.Mutlu @ 2015-01-16 0:59 UTC (permalink / raw)
To: netfilter
The Media Server wrote, On 01/15/2015 11:34 PM:
> Hi I can't get my PREROUTING iptables rule to mark my packets via
> --set-mark on Ubuntu
>
> iptables -t mangle -A PREROUTING -p tcp --sport 80 -j MARK --set-mark 2
> rule add fwmark 2 table 2
>
> iptables -t mangle -A PREROUTING -j MARK --set-mark 2
> iptables -t mangle -A INPUT -j MARK --set-mark 2
> iptables -t nat -A INPUT -j MARK --set-mark 2
> iptables -t nat -A PREROUTING -j MARK --set-mark 2
>
> None of the above pass trough the table2
>
> but this does pass trough the table 2 with this rule:
> ip rule add from 192.168.2.0/24 table 2
>
> ----
> Is there a problem marking packets in Ubuntu 14.04.1 LTS and iptables v1.4.21?
Have you also defined table 2 in /etc/iproute2/rt_tables ?
It must be something like:
2 mytab2
I think there is no tool for it, you have to edit the file.
later you can use
ip rule ls
ip route ls
ip route ls table 2
or alternatively
ip route ls table mytab2
and don't forget to del the wrong or excess entries there...
ip rule del fwmark 2 table 2
ip route flush table 2
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
2015-01-16 0:59 ` U.Mutlu
@ 2015-01-16 1:03 ` U.Mutlu
0 siblings, 0 replies; 22+ messages in thread
From: U.Mutlu @ 2015-01-16 1:03 UTC (permalink / raw)
To: netfilter
U.Mutlu wrote, On 01/16/2015 01:59 AM:
> The Media Server wrote, On 01/15/2015 11:34 PM:
>> Hi I can't get my PREROUTING iptables rule to mark my packets via
>> --set-mark on Ubuntu
>>
>> iptables -t mangle -A PREROUTING -p tcp --sport 80 -j MARK --set-mark 2
>> rule add fwmark 2 table 2
and the above one should be
ip rule add fwmark 2 table 2
>> iptables -t mangle -A PREROUTING -j MARK --set-mark 2
>> iptables -t mangle -A INPUT -j MARK --set-mark 2
>> iptables -t nat -A INPUT -j MARK --set-mark 2
>> iptables -t nat -A PREROUTING -j MARK --set-mark 2
>>
>> None of the above pass trough the table2
>>
>> but this does pass trough the table 2 with this rule:
>> ip rule add from 192.168.2.0/24 table 2
>>
>> ----
>> Is there a problem marking packets in Ubuntu 14.04.1 LTS and iptables v1.4.21?
>
> Have you also defined table 2 in /etc/iproute2/rt_tables ?
> It must be something like:
> 2 mytab2
> I think there is no tool for it, you have to edit the file.
>
> later you can use
> ip rule ls
> ip route ls
> ip route ls table 2
> or alternatively
> ip route ls table mytab2
>
> and don't forget to del the wrong or excess entries there...
> ip rule del fwmark 2 table 2
> ip route flush table 2
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
@ 2015-01-16 1:53 The Media Server
2015-01-16 2:02 ` U.Mutlu
0 siblings, 1 reply; 22+ messages in thread
From: The Media Server @ 2015-01-16 1:53 UTC (permalink / raw)
To: netfilter
yes indeed:
ip rule add* It was just a typo error sorry.
Yes I tried it with let say:
2 ht
I also disabled and enabled in the kernel rp_filter and forward for ipv4:
sudo sysctl -w net.ipv4.conf.eth0.rp_filter=0 &&
sudo sysctl -w net.ipv4.conf.tun0.rp_filter=0 &&
sudo sysctl -w net.ipv4.conf.all.rp_filter=0 &&
sudo sysctl -w net.ipv4.conf.default.rp_filter=0 &&
sudo sysctl -w net.ipv4.conf.lo.rp_filter=0 &&
sudo sysctl -w net.ipv4.conf.all.forwarding=1 &&
sudo sysctl -w net.ipv4.conf.default.forwarding=1 &&
sudo sysctl -w net.ipv4.conf.eth0.forwarding=1 &&
sudo sysctl -w net.ipv4.conf.lo.forwarding=1 &&
sudo sysctl -w net.ipv4.conf.tun0.forwarding=1 &&
sudo sysctl -w net.ipv6.conf.all.forwarding=1 &&
sudo sysctl -w net.ipv6.conf.default.forwarding=1 &&
sudo sysctl -w net.ipv6.conf.eth0.forwarding=1 &&
sudo sysctl -w net.ipv6.conf.lo.forwarding=1 &&
sudo sysctl -w net.ipv6.conf.tun0.forwarding=1
the result of my rule list is:
0: from all lookup local
32765: from all fwmark 0x2 lookup ht
32766: from all lookup main
32767: from all lookup default
my ht (2) table is:
default via 192.168.0.1 dev eth0
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.2.20 metric 1
I tried these rules:
sudo iptables -t mangle -A PREROUTING -j MARK --set-mark 2
sudo iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 2
sudo iptables -t mangle -A OUTPUT -p tcp --sport 80 -j MARK --set-mark 2
Nothing work..
--
The weird part is that the OUTPUT rules works:
sudo iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 2
sudo iptables --table nat --append POSTROUTING -o eth0 -j MASQUERADE
and this work too:
sudo ip rule add from 192.168.2.0/24 table ht
---
Looks like it doesn't want to mark anything only the PREROUTING /
INPUT phase.. or an option somewhere is not enabled..
Thks
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
2015-01-16 1:53 The Media Server
@ 2015-01-16 2:02 ` U.Mutlu
0 siblings, 0 replies; 22+ messages in thread
From: U.Mutlu @ 2015-01-16 2:02 UTC (permalink / raw)
To: netfilter
For diagnose try this:
# iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 6063 packets, 5929K bytes)
pkts bytes target prot opt in out source
destination
17 1052 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport ports 8443:8447 MARK set 0x65
This above is from my setup (using other ports and marks).
It shows that 17 packets were marked as requested.
The Media Server wrote, On 01/16/2015 02:53 AM:
> yes indeed:
> ip rule add* It was just a typo error sorry.
>
> Yes I tried it with let say:
> 2 ht
>
> I also disabled and enabled in the kernel rp_filter and forward for ipv4:
> sudo sysctl -w net.ipv4.conf.eth0.rp_filter=0 &&
> sudo sysctl -w net.ipv4.conf.tun0.rp_filter=0 &&
> sudo sysctl -w net.ipv4.conf.all.rp_filter=0 &&
> sudo sysctl -w net.ipv4.conf.default.rp_filter=0 &&
> sudo sysctl -w net.ipv4.conf.lo.rp_filter=0 &&
>
> sudo sysctl -w net.ipv4.conf.all.forwarding=1 &&
> sudo sysctl -w net.ipv4.conf.default.forwarding=1 &&
> sudo sysctl -w net.ipv4.conf.eth0.forwarding=1 &&
> sudo sysctl -w net.ipv4.conf.lo.forwarding=1 &&
> sudo sysctl -w net.ipv4.conf.tun0.forwarding=1 &&
>
> sudo sysctl -w net.ipv6.conf.all.forwarding=1 &&
> sudo sysctl -w net.ipv6.conf.default.forwarding=1 &&
> sudo sysctl -w net.ipv6.conf.eth0.forwarding=1 &&
> sudo sysctl -w net.ipv6.conf.lo.forwarding=1 &&
> sudo sysctl -w net.ipv6.conf.tun0.forwarding=1
>
> the result of my rule list is:
> 0: from all lookup local
> 32765: from all fwmark 0x2 lookup ht
> 32766: from all lookup main
> 32767: from all lookup default
>
> my ht (2) table is:
> default via 192.168.0.1 dev eth0
> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.2.20 metric 1
>
> I tried these rules:
> sudo iptables -t mangle -A PREROUTING -j MARK --set-mark 2
> sudo iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 2
> sudo iptables -t mangle -A OUTPUT -p tcp --sport 80 -j MARK --set-mark 2
>
> Nothing work..
>
>
> --
> The weird part is that the OUTPUT rules works:
>
> sudo iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 2
> sudo iptables --table nat --append POSTROUTING -o eth0 -j MASQUERADE
>
> and this work too:
> sudo ip rule add from 192.168.2.0/24 table ht
> ---
>
> Looks like it doesn't want to mark anything only the PREROUTING /
> INPUT phase.. or an option somewhere is not enabled..
>
> Thks
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
@ 2015-01-16 2:02 The Media Server
2015-01-16 2:14 ` U.Mutlu
0 siblings, 1 reply; 22+ messages in thread
From: The Media Server @ 2015-01-16 2:02 UTC (permalink / raw)
To: netfilter
Sorry for multi post, it is first time I use mailing list.. I didn't
received any mails back...
I want to clarify something.
yes indeed:
ip rule add* It was just a typo error sorry.
Yes I tried it with let say:
2 ht
I also disabled and enabled in the kernel rp_filter and forward for ipv4:
sudo sysctl -w net.ipv4.conf.eth0.rp_filter=0 &&
sudo sysctl -w net.ipv4.conf.tun0.rp_filter=0 &&
sudo sysctl -w net.ipv4.conf.all.rp_filter=0 &&
sudo sysctl -w net.ipv4.conf.default.rp_filter=0 &&
sudo sysctl -w net.ipv4.conf.lo.rp_filter=0 &&
sudo sysctl -w net.ipv4.conf.all.forwarding=1 &&
sudo sysctl -w net.ipv4.conf.default.forwarding=1 &&
sudo sysctl -w net.ipv4.conf.eth0.forwarding=1 &&
sudo sysctl -w net.ipv4.conf.lo.forwarding=1 &&
sudo sysctl -w net.ipv4.conf.tun0.forwarding=1 &&
sudo sysctl -w net.ipv6.conf.all.forwarding=1 &&
sudo sysctl -w net.ipv6.conf.default.forwarding=1 &&
sudo sysctl -w net.ipv6.conf.eth0.forwarding=1 &&
sudo sysctl -w net.ipv6.conf.lo.forwarding=1 &&
sudo sysctl -w net.ipv6.conf.tun0.forwarding=1
the result of my rule list is:
0: from all lookup local
32765: from all fwmark 0x2 lookup ht
32766: from all lookup main
32767: from all lookup default
my ht (2) table is:
* default via 192.168.2.1 dev eth0
* 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.20 metric 1
I tried these rules:
sudo iptables -t mangle -A PREROUTING -j MARK --set-mark 2
sudo iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 2
sudo iptables -t mangle -A OUTPUT -p tcp --sport 80 -j MARK --set-mark 2
Nothing work..
--
The weird part is that the OUTPUT rules works:
sudo iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 2
sudo iptables --table nat --append POSTROUTING -o eth0 -j MASQUERADE
and this work too:
sudo ip rule add from 192.168.2.0/24 table ht
---
Looks like it doesn't want to mark anything on the PREROUTING /
INPUT phase.. or an option somewhere is not enabled..
Thks
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
2015-01-16 2:02 The Media Server
@ 2015-01-16 2:14 ` U.Mutlu
0 siblings, 0 replies; 22+ messages in thread
From: U.Mutlu @ 2015-01-16 2:14 UTC (permalink / raw)
To: netfilter
> Looks like it doesn't want to mark anything on the PREROUTING /
> INPUT phase.. or an option somewhere is not enabled..
A hint:
I think you have to send packets from another host to this host
to let the pkts go thru the PREROUTING chain of the mangle table.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
@ 2015-01-16 2:15 The Media Server
2015-01-16 2:27 ` U.Mutlu
0 siblings, 1 reply; 22+ messages in thread
From: The Media Server @ 2015-01-16 2:15 UTC (permalink / raw)
To: netfilter
OH nice trick! thks.. so I can see my packets are actually being
marked.. the problem is probably somewhere else then.. the number 32
increase as i try to connect..
Chain PREROUTING (policy ACCEPT 136K packets, 39M bytes)
pkts bytes target prot opt in out source destination
32 1628 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 MARK set 0x2
218 77118 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:80 MARK set 0x2
136K 39M MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK set 0x2
Chain INPUT (policy ACCEPT 136K packets, 39M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 174K packets, 144M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 176K packets, 144M bytes)
pkts bytes target prot opt in out source destination
This is the result of table main (OPENVPN did this):
0.0.0.0/1 via 10.107.1.5 dev tun0
default via 192.168.2.1 dev eth0 proto static
10.107.1.1 via 10.107.1.5 dev tun0
10.107.1.5 dev tun0 proto kernel scope link src 10.107.1.6
128.0.0.0/1 via 10.107.1.5 dev tun0
162.xx.xxx.xx via 192.168.2.1 dev eth0
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.20 metric 1
table 2:
default via 192.168.2.1 dev eth0
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.20 metric 1
I'll try to do more test.. You have an idea why it still timing out
tho? and not timing out with this:
sudo ip rule add from 192.168.2.0/24 table ht
Thks a lot!
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
@ 2015-01-16 2:24 The Media Server
2015-01-16 2:35 ` U.Mutlu
0 siblings, 1 reply; 22+ messages in thread
From: The Media Server @ 2015-01-16 2:24 UTC (permalink / raw)
To: netfilter
> A hint:
> I think you have to send packets from another host to this host
> to let the pkts go thru the PREROUTING chain of the mangle table.
I am accessing my port 81 from another computer via my public ISP address..
http://198.xx.x.xx.x
I can see my connection in tcpdump port 80 trying to get in and the
MARK packet increasing in iptables -t mangle -nvL. But my connection
is still timing out.
my goal is to bypass my vpn for a specific port..
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
2015-01-16 2:15 IPTABLES + PREROUTING + --set-mark + Ubuntu The Media Server
@ 2015-01-16 2:27 ` U.Mutlu
0 siblings, 0 replies; 22+ messages in thread
From: U.Mutlu @ 2015-01-16 2:27 UTC (permalink / raw)
To: netfilter
The Media Server wrote, On 01/16/2015 03:15 AM:
> You have an idea why it still timing out
> tho? and not timing out with this:
> sudo ip rule add from 192.168.2.0/24 table ht
I don't know what you mean by "timing out", and I think you didn't mention
that in the previous postings.
I must admit that that stuff is not easy, it's called "advanced routing"
or "policy routing", so you will need to do some more experiments.
I would suggest to simplify the problem by deactivating everything else.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
2015-01-16 2:24 The Media Server
@ 2015-01-16 2:35 ` U.Mutlu
0 siblings, 0 replies; 22+ messages in thread
From: U.Mutlu @ 2015-01-16 2:35 UTC (permalink / raw)
To: netfilter
The Media Server wrote, On 01/16/2015 03:24 AM:
>> A hint:
>> I think you have to send packets from another host to this host
>> to let the pkts go thru the PREROUTING chain of the mangle table.
>
> I am accessing my port 81 from another computer via my public ISP address..
> http://198.xx.x.xx.x
>
> I can see my connection in tcpdump port 80 trying to get in and the
> MARK packet increasing in iptables -t mangle -nvL. But my connection
> is still timing out.
>
> my goal is to bypass my vpn for a specific port..
Does ssh login to your host from another host work? Ie.:
ssh -p22 username@hostname_or_ip
(change 22 if your ssh-server on your host is operating at an other port)
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
@ 2015-01-16 2:45 The Media Server
2015-01-16 2:53 ` U.Mutlu
0 siblings, 1 reply; 22+ messages in thread
From: The Media Server @ 2015-01-16 2:45 UTC (permalink / raw)
To: netfilter
Yes sorry for my english.
I will do more experiment and I understand it is pretty complicated indeed.
Just to clarify.. when I type my public ip address on a browser. I get
a time out error.
But I can see my packets marked, and my tcp connection trying to acces
in tcpdump port 80 like so:
21:35:32.336899 IP xxx.xxx.xxx.xxx.com.54727 > 192.168.2.20.http:
Flags [S], seq 1143628041, win 8192, options [mss 1352,nop,wscale
8,nop,nop,sackOK], length 0
but when i add this rule ( to go straight in my table ht (2) for
incoming connections)
ip rule add from 192.168.2.0/24 table ht
I mean when, in a web browser I type my public ip, it works, no time
out error and i see my html content. The connection work.
thks!
> Does ssh login to your host from another host work? Ie.:
> ssh -p22 username@hostname_or_ip
> (change 22 if your ssh-server on your host is operating at an other port)
it works on my network 192.168.2.20 from another computer
but not if I try to connect with my public ip address from another computer
but it works with public ip with this rule:
ip rule add from 192.168.2.0/24 table ht
** my gateway address is my router
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
2015-01-16 2:45 The Media Server
@ 2015-01-16 2:53 ` U.Mutlu
0 siblings, 0 replies; 22+ messages in thread
From: U.Mutlu @ 2015-01-16 2:53 UTC (permalink / raw)
To: netfilter
The Media Server wrote, On 01/16/2015 03:45 AM:
> Yes sorry for my english.
>
> I will do more experiment and I understand it is pretty complicated indeed.
>
> Just to clarify.. when I type my public ip address on a browser. I get
> a time out error.
> But I can see my packets marked, and my tcp connection trying to acces
> in tcpdump port 80 like so:
> 21:35:32.336899 IP xxx.xxx.xxx.xxx.com.54727 > 192.168.2.20.http:
> Flags [S], seq 1143628041, win 8192, options [mss 1352,nop,wscale
> 8,nop,nop,sackOK], length 0
>
> but when i add this rule ( to go straight in my table ht (2) for
> incoming connections)
> ip rule add from 192.168.2.0/24 table ht
> I mean when, in a web browser I type my public ip, it works, no time
> out error and i see my html content. The connection work.
>
> thks!
>
>
>> Does ssh login to your host from another host work? Ie.:
>> ssh -p22 username@hostname_or_ip
>> (change 22 if your ssh-server on your host is operating at an other port)
>
> it works on my network 192.168.2.20 from another computer
> but not if I try to connect with my public ip address from another computer
>
> but it works with public ip with this rule:
> ip rule add from 192.168.2.0/24 table ht
>
>
> ** my gateway address is my router
Then maybe you forgot to open and forward the port on the router?
Try it with ssh. If that works then the rest is analogous, ie. it should then
work too.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
@ 2015-01-16 3:12 The Media Server
2015-01-16 3:31 ` U.Mutlu
0 siblings, 1 reply; 22+ messages in thread
From: The Media Server @ 2015-01-16 3:12 UTC (permalink / raw)
To: netfilter
both port are forwarded to my linux pc 80 and 22 in my router ;)
Public ip address is block because of my vpn enabled...
like i said if I deviate my connections to my table 2 like so with vpn enabled:
ip rule add from 192.168.2.0/24 table 2
all my inbound connection works with my public ip address and that is the goal.
I just want the thing to work on a port basis.
Anyways i'll experiment.. i will try to remove all table, stop vpn.
make an empty or wrong table main..
and try to mark my packets and forward them to table 2
I will give you the results.. if that doesn't work we will know there
is problem with the marking system, if it works, the problem is
somewhere in my vpn setup..
thks again!
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
2015-01-16 3:12 The Media Server
@ 2015-01-16 3:31 ` U.Mutlu
0 siblings, 0 replies; 22+ messages in thread
From: U.Mutlu @ 2015-01-16 3:31 UTC (permalink / raw)
To: netfilter
The Media Server wrote, On 01/16/2015 04:12 AM:
> both port are forwarded to my linux pc 80 and 22 in my router ;)
>
> Public ip address is block because of my vpn enabled...
>
> like i said if I deviate my connections to my table 2 like so with vpn enabled:
> ip rule add from 192.168.2.0/24 table 2
> all my inbound connection works with my public ip address and that is the goal.
> I just want the thing to work on a port basis.
Ok, now I understand your problem :-)
In this case try this instead of the above (I think this you even had in your
prev postings):
ip rule add fwmark 2 table 2
And add this for marking the pkts based on port(s):
iptables -t mangle -A PREROUTING -p tcp -m multiport --ports 80,22 -j MARK
--set-mark 2
Both commands should be placed as early as possible within your script.
> Anyways i'll experiment.. i will try to remove all table, stop vpn.
> make an empty or wrong table main..
> and try to mark my packets and forward them to table 2
>
> I will give you the results.. if that doesn't work we will know there
> is problem with the marking system, if it works, the problem is
> somewhere in my vpn setup..
>
> thks again!
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
@ 2015-01-16 3:49 P-o Lévesque
2015-01-16 4:51 ` The Media Server
0 siblings, 1 reply; 22+ messages in thread
From: P-o Lévesque @ 2015-01-16 3:49 UTC (permalink / raw)
To: netfilter
> Ok, now I understand your problem :-)
> In this case try this instead of the above (I think this you even had in your
> prev postings):
> ip rule add fwmark 2 table 2
>
> And add this for marking the pkts based on port(s):
> iptables -t mangle -A PREROUTING -p tcp -m multiport --ports 80,22 -j MARK
> --set-mark 2
>
> Both commands should be placed as early as possible within your script.
That is exactly what I want and what i try to say! but that is also
exactly what is not working!
..my rp_filter is set to 0 in the kernel..
So i assume there is a bug in iptables for ubuntu, something missing
somewhere or a config to enable somewhere.. beacause it is a very
simple set of rules... the OUTPUT rules works fine. and the rule: ip
rule add from 192.168.2.0/24 table 2 all works..
Just the PREROUTING rules that does not work for me..
Thks
^ permalink raw reply [flat|nested] 22+ messages in thread
* RE: IPTABLES + PREROUTING + --set-mark + Ubuntu
2015-01-16 3:49 P-o Lévesque
@ 2015-01-16 4:51 ` The Media Server
0 siblings, 0 replies; 22+ messages in thread
From: The Media Server @ 2015-01-16 4:51 UTC (permalink / raw)
To: netfilter
Check this the most simple setup does not work...
---
ip route flush table 2
# table 2 is the connection to internet
ip route add table 2 default via 192.168.2.1 dev eth0
# main table is empty
ip route flush table main
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -t mangle -A PREROUTING -p tcp -m multiport --ports 22 -j
MARK --set-mark 2
ip rule add fwmark 2 table 2
sysctl -w net.ipv4.conf.lo.rp_filter=0
sysctl -w net.ipv4.conf.default.rp_filter=0
sysctl -w net.ipv4.conf.all.rp_filter=0
ip route flush cache
---
SSH does not work from anywhere! time out error! BUG? PROBABLY the
rule don't work
BUT
if I add this:
ip rule add from all table 2
ssh connection works..
clearly the PREROUTING iproutes rule does not work
^ permalink raw reply [flat|nested] 22+ messages in thread
* RE: IPTABLES + PREROUTING + --set-mark + Ubuntu
@ 2015-01-16 5:33 The Media Server
2015-01-16 8:15 ` U.Mutlu
0 siblings, 1 reply; 22+ messages in thread
From: The Media Server @ 2015-01-16 5:33 UTC (permalink / raw)
To: netfilter
OMG THANK GOD I JUST FOUND IT!!!!
it was hidden and off by default!! The tcp_fwmark_accept was off by default!
sudo sysctl -w net.ipv4.tcp_fwmark_accept=0
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
2015-01-16 5:33 The Media Server
@ 2015-01-16 8:15 ` U.Mutlu
0 siblings, 0 replies; 22+ messages in thread
From: U.Mutlu @ 2015-01-16 8:15 UTC (permalink / raw)
To: netfilter
The Media Server wrote, On 01/16/2015 06:33 AM:
> OMG THANK GOD I JUST FOUND IT!!!!
>
> it was hidden and off by default!! The tcp_fwmark_accept was off by default!
>
> sudo sysctl -w net.ipv4.tcp_fwmark_accept=0
Glad to hear that you found a solution.
That setting must be a new one as my other system (Debian 7) doesn't know
about it.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
2015-01-15 22:34 The Media Server
2015-01-16 0:59 ` U.Mutlu
@ 2015-01-16 9:16 ` Pascal Hambourg
1 sibling, 0 replies; 22+ messages in thread
From: Pascal Hambourg @ 2015-01-16 9:16 UTC (permalink / raw)
To: The Media Server; +Cc: netfilter
Hello,
The Media Server a écrit :
> Hi I can't get my PREROUTING iptables rule to mark my packets via
> --set-mark on Ubuntu
>
> iptables -t mangle -A PREROUTING -p tcp --sport 80 -j MARK --set-mark 2
> rule add fwmark 2 table 2
>
> iptables -t mangle -A PREROUTING -j MARK --set-mark 2
> iptables -t mangle -A INPUT -j MARK --set-mark 2
> iptables -t nat -A INPUT -j MARK --set-mark 2
> iptables -t nat -A PREROUTING -j MARK --set-mark 2
>
> None of the above pass trough the table2
>
> but this does pass trough the table 2 with this rule:
> ip rule add from 192.168.2.0/24 table 2
What do you want to achieve with these rules ?
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
@ 2015-01-16 14:03 The Media Server
0 siblings, 0 replies; 22+ messages in thread
From: The Media Server @ 2015-01-16 14:03 UTC (permalink / raw)
To: netfilter
> Glad to hear that you found a solution.
> That setting must be a new one as my other system (Debian 7) doesn't know about it.
Yes it is just on Ubuntu 14.10...
On 14.04, I don't have this option and the fwmarking doesn't work.
Does this mean that on 14.04 and xmbcbuntu we would have to re-compile
the kernel with this option to make it work?
> What do you want to achieve with these rules ?
I was just testing the marking.. My ultimate goal was to bypass a VPN
on some port on ubuntu
I found the solution if you check the previous post, it was a kernel
option by default off:
net.ipv4.tcp_fwmark_accept=0
Thks for the support!
--
themediaserver.com
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: IPTABLES + PREROUTING + --set-mark + Ubuntu
@ 2015-01-16 20:05 P-o Lévesque
0 siblings, 0 replies; 22+ messages in thread
From: P-o Lévesque @ 2015-01-16 20:05 UTC (permalink / raw)
To: netfilter
Ok the got the info about the kernel from a forum..
With xbmcbuntu, we can just install the newest ubuntu kernel..
I'll check that out.
Thks!
--
http://themediaserver.com
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2015-01-16 20:05 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-16 2:15 IPTABLES + PREROUTING + --set-mark + Ubuntu The Media Server
2015-01-16 2:27 ` U.Mutlu
-- strict thread matches above, loose matches on Subject: below --
2015-01-16 20:05 P-o Lévesque
2015-01-16 14:03 The Media Server
2015-01-16 5:33 The Media Server
2015-01-16 8:15 ` U.Mutlu
2015-01-16 3:49 P-o Lévesque
2015-01-16 4:51 ` The Media Server
2015-01-16 3:12 The Media Server
2015-01-16 3:31 ` U.Mutlu
2015-01-16 2:45 The Media Server
2015-01-16 2:53 ` U.Mutlu
2015-01-16 2:24 The Media Server
2015-01-16 2:35 ` U.Mutlu
2015-01-16 2:02 The Media Server
2015-01-16 2:14 ` U.Mutlu
2015-01-16 1:53 The Media Server
2015-01-16 2:02 ` U.Mutlu
2015-01-15 22:34 The Media Server
2015-01-16 0:59 ` U.Mutlu
2015-01-16 1:03 ` U.Mutlu
2015-01-16 9:16 ` Pascal Hambourg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).