I do CONNMARK RESTORE on PREROUTING:
iptables -t mangle -A PREROUTING -m conntrack --ctstate
ESTABLISHED,RELATED -j CONNMARK --restore-mark --mask 0x0FFFFFFF
I MARK in FORWARD:
iptables -t mangle -A FORWARD -i ${METANO} -o $EXT2 -m state --state NEW
-j MARK --set-mark 2/0x0FFFFFFF
iptables -t mangle -A FORWARD -i $EXT2 -o ${METANO} -m state --state NEW
-j MARK --set-mark 2/0x0FFFFFFF
I do CONNMARK SAVE in POSTROUTING:
iptables -t mangle -A POSTROUTING -m mark ! --mark 0x0/0x0FFFFFFF -j
CONNMARK --save-mark --mask 0x0FFFFFFF
You should check if everything is going fine using LOG/ULOG target:
iptables -t mangle -A FORWARD -i ${EXT1} -o ethWEB -p tcp -m multiport
--dports 80,443 -m state --state NEW -j LOG --log-prefix "**NEW** IN NAS0 "
[...]
Connection tracking may be quite frustrating, there are lots of things
which may be wrong. I suggest you to start playing in the FORWARD chain,
the OUTPUT one can be much more challenging (for example having EXT1 as
default gateway I have to ALLOW a specific traffic toward EXT1 even if I
want it to go through EXT2, otherwise the system will not forge the packet).
ULOG/LOG is your best friend to debug it (among other things you can
easily see the marks with it).
Cheers,
Niccolò
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
