conntrack match failed, packets not FWMarked

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

I have 2 ISPs on a Linux router and a local network with one Linux server
and many windows. The local network is masqueraded.

I want to give access to port 25 and 80 of my server from any incoming
request (i.e. from my 2 ISP). I have made a DNAT translation, witch work but
the outgoing answers are not routed correctly. Of course, the de-SNAT
process is done before the routing process. So all packet follow the default
route.

I look for solutions on the LARTC mailing-list archive, on the LARTC
documentation, on Google, and anywhere I know, but all the solutions I found
won't work. 
Based on the LARTC 2 ISP sample (Chapter 4.2), I try to mark my package to
be correctly routed (via a FWMARK), without success. But everything I read
tell me this should work.

Here are my rules (from iptables-save): 
*mangle
:PREROUTING ACCEPT [529944:316988323]
:INPUT ACCEPT [374208:35129218]
:FORWARD ACCEPT [4225914:2972153716]
:OUTPUT ACCEPT [147094:14149367]
:POSTROUTING ACCEPT [4855993:3030201798]
-A PREROUTING -m conntrack --ctorigdst IP_OF_PPP0 -j MARK --set-mark 0x1 -A
PREROUTING -m conntrack --ctorigdst IP_OF_PPP1 -j MARK --set-mark 0x2 -A
PREROUTING -m connmark --mark 0x1 -j LOG --log-prefix "FWMARK1" COMMIT #
Completed on Mon Nov 28 09:53:06 2005 # Generated by iptables-save v1.2.11
on Mon Nov 28 09:53:06 2005 *nat :PREROUTING ACCEPT [7696:835113]
:POSTROUTING ACCEPT [29406:2303772] :OUTPUT ACCEPT [24589:1956035] -A
PREROUTING -i ppp1 -p tcp -m tcp --dport 80 -j DNAT --to-destination
192.168.1.4:80 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.1.4:80 -A PREROUTING -i ppp1 -p tcp -m tcp --dport
25 -j DNAT --to-destination 192.168.1.4:25 -A PREROUTING -i ppp0 -p tcp -m
tcp --dport 25 -j DNAT --to-destination 192.168.1.4:25 -A POSTROUTING -s
192.168.1.0/255.255.255.0 -o ppp1 -j MASQUERADE -A POSTROUTING -s
192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE COMMIT


I also have routing table but the line -A PREROUTING -m connmark --mark 0x1
-j LOG --log-prefix "FWMARK1" don't give me any result!!!! Nothing is
logged! My packets are not marked. Why?

I am on a DEBIAN Stable with a KERNEL 2.6.14.2 (hand made with make-kpkg)
and the default iptables (v1.2.11) and iproute2 (iproute2-ss041019) 

Does any one have an idea? (or more ;-) )
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux