Ian! D. Allen wrote:
> How do I arrange that *all* the packets get marked, even the "FIN" ones?
I couldn't get CONNMARK working (save-mark and restore-mark don't
appear to work for me); but, the kludge rule set below did get the final
post-connection FIN packets marked and routed correctly:
# This rule and table sends marked packets out eth1 instead of eth0:
#
ip rule from all fwmark 5 lookup 2
# Mark anything that tries to go out eth0 owned by session ID $PID:
#
iptables -t mangle -A OUTPUT -o $IF0 -m owner --sid-owner $PID \
-j MARK --set-mark 5
# Find the real source address of eth1 and SNAT all marked packets to it:
#
inet1=$( ifconfig $IF1 | grep 'inet addr:' | tr ':' ' ' | awk '{print $3}' )
iptables -t nat -A POSTROUTING -m mark --mark 5 \
-j SNAT --to-source $inet1
# All SNATd packets destined for eth0 must also be marked:
#
iptables -t mangle -A OUTPUT -o $IF0 -m conntrack --ctstate SNAT \
-j MARK --set-mark 5
That last conntrack entry is the kludge that sets the mark for anything
that uses SNAT. The SNAT is started by anything in the given $PID
session ID. When the connection closes, the session ID stops marking
packets; but, the SNAT keeps going and keeps marking the FIN packets
properly. Ugly.
--
-IAN! Ian! D. Allen Ottawa, Ontario, Canada
EMail: idallen@xxxxxxxxxx WWW: http://www.idallen.com/
College professor (Linux) via: http://teaching.idallen.com/
Support free and open public digital rights: http://eff.org/
