[LARTC] Match packet mark with --set-mark to ip rule fwmark
kaiwen
cal_kaiwen@hotmail.com
Wed, 7 Jan 2004 11:31:45 +0800
This is a multi-part message in MIME format.
------=_NextPart_000_01A0_01C3D511.D4E00F80
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi,
Here I am trying something simple.
My objective is to make ip rule fwmark command work :)
Network Diagram:
--- 192.168.250.197 (eth0) Linux Box (eth1) 192.168.8.88 =
-------------192.168.8.122 (eth0) Windows XP Client
Configuration done on Linux Box:-
(1) [root@g webauth]# iptables -t mangle -A PREROUTING -j MARK =
--set-mark 5
[root@g webauth]# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x5
(2) [root@g webauth]# ip rule add fwmark 5 table test2
[root@g webauth]# ip rule
0: from all lookup local
32765: from all fwmark 5 lookup test2
32766: from all lookup main
32767: from all lookup 253
(3) [root@g webauth]# ip ro show table test2
prohibit 192.168.8.122
I expect ping from 192.168.8.122 to 192.168.250.197 to be drop, BUT is =
is
successful. Why?
Did I miss out anything? Please advice.
Thank you
Kaiwen
------=_NextPart_000_01A0_01C3D511.D4E00F80
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2734.1600" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>
<DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman" =
size=3D3>Hi,<BR><BR>Here=20
I am trying something simple.<BR>My objective is to make ip rule fwmark =
command=20
work :)<BR><BR>Network Diagram:<BR>--- 192.168.250.197 (eth0) Linux Box =
(eth1)=20
192.168.8.88 -------------192.168.8.122 (eth0) Windows XP=20
Client<BR><BR>Configuration done on Linux Box:-<BR><BR>(1) [root@g =
webauth]#=20
iptables -t mangle -A PREROUTING -j MARK --set-mark 5<BR>[root@g =
webauth]#=20
iptables -t mangle -L<BR>Chain PREROUTING (policy=20
ACCEPT)<BR>target prot opt=20
source &=
nbsp; =20
destination<BR>MARK all =
-- =20
anywhere  =
; =20
anywhere =
MARK set=20
0x5<BR><BR>(2) [root@g webauth]# ip rule add fwmark 5 table=20
test2</FONT></FONT><FONT face=3DArial size=3D2><FONT face=3D"Times New =
Roman"=20
size=3D3><BR>[root@g webauth]# ip =
rule<BR>0: from=20
all lookup local<BR>32765: from all=20
fwmark 5 lookup =
test2<BR>32766: =20
from all lookup main<BR>32767: from all lookup 253<BR><BR>(3) =
[root@g=20
webauth]# ip ro show table test2<BR>prohibit 192.168.8.122<BR><BR>I =
expect ping=20
from 192.168.8.122 to 192.168.250.197 to be drop, BUT is =
is<BR>successful.=20
Why?<BR>Did I miss out anything? Please advice.<BR><BR>Thank=20
you<BR>Kaiwen</FONT><BR></DIV></FONT></FONT></DIV></BODY></HTML>
------=_NextPart_000_01A0_01C3D511.D4E00F80--