I think the ruleset above is wrong: the '!' should not be present here. Allow me to explain the packet traversal when the same rules are used, but with "!" removed:Yeah you're right, sorry...need more coffee ;-))
iptables -t mangle -N setmark iptables -t mangle -A setmark -s 193.220.70.0/27 -d 193.220.70.32/27 \ -j RETURN iptables -t mangle -A setmark -s 193.108.240.0/22 -d 193.220.70.32/27 \ -j RETURN iptables -t mangle -A setmark -j MARK --set-mark 107 iptables -t mangle -A POSTROUTING -j setmark
1. Packet enters POSTROUTING
2. Packet jumps to "setmark" chain
3. Packets having source address matching "193.220.70.0/27" are RETURNed to POSTROUTING
4. Packets having source address matching "193.108.240.0/22" are RETURNed to POSTROUTING
5. (now ONLY packets which do NOT have either of these source addresses are still in the "setmark" chain)
6. All packets (still in the "setmark" chain) are marked with 107
7. Packets fall off the end of the "setmark" chain and return to POSTROUTING (but they are now marked)
8. Packets fall of the end of POSTROUTING and continue through the kernel (presumably to be delivered to a network device)
Cheers, Chris.
Sven
