Also, after much time banging my head against the wall trying to figure out why my marks were ignored, I discovered that in spite of what the netfilter packet traversal diagram shows, marks set in PREROUTING are ignored for packets originating on the box doing the routing, and the marks need to be set on the OUTPUT chain for that case (you still need to set the mark on the PREROUTING chain on packets traveling through the routing server). This is with kernel 2.6.16.5 and iptables v1.3.3. Frank On 5/10/06, Alexandru Dragoi <alex@xxxxxxxxxx> wrote:
Andre Kalamandeen wrote: >Hey all im trying to mark packets and use the kernel >routing table to get the packets to go where i want. >The problem that i have with this is that even though >the packets are being marked (I checked using >"iptables -t mangle -vnL") it doesnt seem to be going >through the correct route. I;ve followed this guide : > >http://edseek.com/archives/2006/05/01/configuring-multipath-routing-for-ports-without-balancing/ > >but all traffic goes through the default route and not >the marked one. > ># ip rule gives: >0: from all lookup local >200: from all fwmark 0x4 lookup 201 >32766: from all lookup main >32767: from all lookup default > ># ip route show table 201 >default via 192.168.77.2 dev eth3 > >the iptables command i use to mark is: ># iptables -t mangle -A PREROUTING -m string --algo bm >--string "yahoo.com" -j MARK --set-mark 0x4 > >i've also flushed the route cache,....any help? > >Thanks. > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > > > That rule maybe routes only some packets of a connection, not the entire stream. as a tip, it is good to put some static routes in table 201, like # ip ro add 182.168.77.0/24 dev eth3 table 201 and so on with all local networks
