MARK not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I am having a problem receiving marked packets from the mangle table in
my filter table.  I have:

iptables -t mangle -A PREROUTING -i eth1 -p udp --dport 4500 -j MARK
--set-mark 1
iptables -t filter -A INPUT -m mark --mark 1 -j LOG --log-prefix ipsec_nat_t
iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
iptables -t filter -A INPUT -j LOG
iptables -t filter -A INPUT -j REJECT

I see that the packets are correctly getting marked in the mangle table,
but then it bypasses  the log and accept rules eventually getting logged
and rejected.  I have trimmed the ruleset down a fair amount to try and
find the problem but I can't seem to get to the cause.  While I have
seen a fair amount of this subject on the mailing list I have not found
anything that seems relevant to this issue.

All feedback is appreciated.  More details below.
Sincerely,
DennisonWilliams

Kernel:  2.6.26-2-486
Distro: Debian 5.0.4
Iptables version: v1.4.2
iptables-save output:
# Generated by iptables-save v1.4.2 on Thu Apr  1 17:27:16 2010
*nat
:PREROUTING ACCEPT [67:12256]
:POSTROUTING ACCEPT [106:6673]
:OUTPUT ACCEPT [106:6673]
-A POSTROUTING -s 10.66.6.0/24 -d ! 10.66.7.0/24 -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu Apr  1 17:27:16 2010
# Generated by iptables-save v1.4.2 on Thu Apr  1 17:27:16 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [617:152871]
:OUTPUT ACCEPT [1282:293981]
:Accounting - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p esp -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -m mark --mark 0x1 -j LOG --log-prefix "ipsec_nat_t"
-A INPUT -m mark --mark 0x1 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr  1 17:27:16 2010
# Generated by iptables-save v1.4.2 on Thu Apr  1 17:27:16 2010
*mangle
:PREROUTING ACCEPT [2504:776880]
:INPUT ACCEPT [1548:605475]
:FORWARD ACCEPT [956:171405]
:OUTPUT ACCEPT [1285:295001]
:POSTROUTING ACCEPT [2241:466406]
-A PREROUTING -i eth1 -p udp -m udp --dport 4500 -j MARK --set-xmark
0x1/0xffffffff
COMMIT
# Completed on Thu Apr  1 17:27:16 2010

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux