conntrack match failed, packets not FWMarked

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

I have 2 ISPs on a Linux router and a local network with one Linux server
and many windows.
The local network is masqueraded.

I want to give access to port 25 and 80 of my server from any incoming
request (i.e. from my 2 ISP). I have made a DNAT translation, witch work but
the outgoing answers are not routed correctly. Of course, the de-SNAT
process is done before the routing process. So all packet follow the default
route.

I look for solutions on the LARTC mailing-list archive, on the LARTC
documentation, on Google, and anywhere I know, but all the solutions I found
won't work. 
Based on the LARTC 2 ISP sample (Chapter 4.2), I try to mark my package to
be correctly routed (via a FWMARK), without success. But everything I read
tell me this should work.

Here are my rules (from iptables-save): 
*mangle
:PREROUTING ACCEPT [529944:316988323]
:INPUT ACCEPT [374208:35129218]
:FORWARD ACCEPT [4225914:2972153716]
:OUTPUT ACCEPT [147094:14149367]
:POSTROUTING ACCEPT [4855993:3030201798]
-A PREROUTING -m conntrack --ctorigdst IP_OF_PPP0 -j MARK --set-mark 0x1
-A PREROUTING -m conntrack --ctorigdst IP_OF_PPP1 -j MARK --set-mark 0x2
-A PREROUTING -m connmark --mark 0x1 -j LOG --log-prefix "FWMARK1"
COMMIT
# Completed on Mon Nov 28 09:53:06 2005
# Generated by iptables-save v1.2.11 on Mon Nov 28 09:53:06 2005
*nat
:PREROUTING ACCEPT [7696:835113]
:POSTROUTING ACCEPT [29406:2303772]
:OUTPUT ACCEPT [24589:1956035]
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 80 -j DNAT --to-destination
192.168.1.4:80
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
192.168.1.4:80
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 25 -j DNAT --to-destination
192.168.1.4:25
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j DNAT --to-destination
192.168.1.4:25
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE
COMMIT


I also have routing table but the line -A PREROUTING -m connmark --mark 0x1
-j LOG --log-prefix "FWMARK1" don't give me any result!!!! Nothing is
logged! My packets are not marked. Why?

I am on a DEBIAN Stable with a KERNEL 2.6.14.2 (hand made with make-kpkg)
and the default iptables (v1.2.11) and iproute2 (iproute2-ss041019) 

Does any one have an idea? (or more ;-) )


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux