Hi Victor, Everybody,
After committing too many errors while composing messages, I ran the rules from the command line and the problem fixed. The problem was that I shouldn't have used the output interface name in mangle's PREROUTING chain. i.e., I should have used
iptables -t mangle -A PREROUTING -i eth0 -d 192.168.1.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth1 -d 192.168.0.0/24 -j MARK --set-mark 1
I have been running these commands from a script and it didn't show the error messages. That's why I have disturbed all of you.
Thanks & Regards Sudheer
Victor Julien wrote:
Hi Sudheer,
As far as i know you can only use --set-mark in the mangle table. You are trying to use it in the nat table.
Try: iptables -t mangle -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1
Regards, Victor
On Thursday 28 October 2004 13:07, Sudheer Divakaran wrote:
Hi, I'm facing a problem with MARK target.
My Linux box has 3 network cards
eth0 - LAN1 eth2 - LAN2 eth3 - ISP
My problem is that my Lan machines are not able to communicate with each other (i.e. LAN1 <-> LAN2). Firewall blocks them. But my lan clients have no problem in accessing internet!!.
Here is my configuration.
# eth0 - LAN1 # eth2 - LAN2 # eth3 - ISP
iptables -F iptables -X iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
iptables -t nat -A PREROUTING -i eth0 -o eth2 -j MARK --set-mark 1 #THIS IS NOT WORKING iptables -t nat -A PREROUTING -i eth1 -o eth0 -j MARK --set-mark 1 #THIS IS NOT WORKING
#Other rules follows... Not listed here
iptables -A FORWARD -m mark --mark 1 -j ACCEPT #THIS IS NOT WORKING
#Other rules follows... Not listed here
I know that I can do it directly from the FORWARD chain of filter table, but I'm using SQUID for transparent proxying for some machines (Those rules are not listed here), so I want to mark some packets. Could someone please help me on this?
Thanks Sudheer
