kaiwen wrote:
(2)[root@g root]# ip ro show table test2
prohibit 192.168.8.88
prohibit 192.168.250.197
(3) [root@g root]# iptables -t mangle -L
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x5
But you changed both the IP address for the prohibit *and* the
chain the mark is in. So you still won't get packets that match
both. Just change one or the other.
That is, if you want to drop an incoming ping packet, then the
prohibit must specify a local IP, and the mark rule must be in
the PREROUTING chain. If you want to drop an outgoing ping packet,
then the prohibit must specify a remote IP, and the mark rule must
be in the OUTPUT chain. You could also just always put the mark
rule in both PREROUTING and OUTPUT.
Here's another option: change the mark rule so that it specifies
the source or destination, and also change the prohibit to be
'prohibit any'.
Take a look at ip rule, the first rule route all packet to table local,
which has a route for 192.168.8.0/24. Is it true that once there is one rule
which match for the packet, it will route according to it. If so, I remove
the route from table local and put it at table test2, which is
Configurations B.
Yes, it will use the first route that matches. Note that moving the
route to table test2 will break routing for packets that don't use
table test2. You probably want to move it to table main.
--
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com
