Hi Ruslan, Hi Sven,Sorry for disturbance, but one more question: it looks like all other packets not from
What about using a user-defined chain like this:
iptables -t mangle -N setmark
iptables -t mangle -A setmark -s ! 193.220.70.0/27 -d 193.220.70.32/27 \
-j RETURN
iptables -t mangle -A setmark -s ! 193.108.240.0/22 -d 193.220.70.32/27 \
-j RETURN
iptables -t mangle -A setmark -j MARK --set-mark 107
iptables -t mangle -A POSTROUTING -j setmark
Thanks for your reply.
And can you describe how packet traverses such chain?
I think the ruleset above is wrong: the '!' should not be present here. Allow me to explain the packet traversal when the same rules are used, but with "!" removed:
iptables -t mangle -N setmark iptables -t mangle -A setmark -s 193.220.70.0/27 -d 193.220.70.32/27 \ -j RETURN iptables -t mangle -A setmark -s 193.108.240.0/22 -d 193.220.70.32/27 \ -j RETURN iptables -t mangle -A setmark -j MARK --set-mark 107 iptables -t mangle -A POSTROUTING -j setmark
1. Packet enters POSTROUTING
2. Packet jumps to "setmark" chain
3. Packets having source address matching "193.220.70.0/27" are RETURNed to POSTROUTING
4. Packets having source address matching "193.108.240.0/22" are RETURNed to POSTROUTING
5. (now ONLY packets which do NOT have either of these source addresses are still in the "setmark" chain)
6. All packets (still in the "setmark" chain) are marked with 107
7. Packets fall off the end of the "setmark" chain and return to POSTROUTING (but they are now marked)
8. Packets fall of the end of POSTROUTING and continue through the kernel (presumably to be delivered to a network device)
Cheers, Chris.
193.220.70.0/27 and not from 193.108.240.0/22 will be marked, but i need mark packets that have destination 193.220.70.32/27 and not from above mentioned networks. What else should i add or modify?
Thanks in advance.
