Google
  Web www.spinics.net

Re: Changing fwmarks stalls connection...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
Mandi! Niccolò Belli
  In chel di` si favelave...

> I do CONNMARK RESTORE on PREROUTING:
> I MARK in FORWARD:
> I do CONNMARK SAVE in POSTROUTING:

All good hints. Thanks. Now i have:

1) restore on prerouting:

 $IPT -t mangle -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED \
        -j CONNMARK --restore-mark

2) mark on forward:

 $IPT -t mangle -A FORWARD -j mrk-pre-fwd
 $IPT -t mangle -A FORWARD -m state --state NEW -m mark --mark 0 -j mrk-post-fwd

3) mark moved from output to postrouting, with save:

 $IPT -t mangle -A POSTROUTING -j mrk-pre-out
 $IPT -t mangle -A POSTROUTING -m state --state NEW -m mark --mark 0 -j mrk-post-out
 $IPT -t mangle -A POSTROUTING -m mark --mark 0 -j MARK --set-mark $DEFAULT
 $IPT -t mangle -A POSTROUTING -m mark ! --mark 0 -j CONNMARK --save-mark


I use mrk-pre-fwd and mrk-pre-out to ''force'' marks for some type of
traffic or interfaces, while i use mrk-post-fwd and mrk-post-out for
generic marking, only for new traffic.


> You should check if everything is going fine using LOG/ULOG target:
> iptables -t mangle -A FORWARD -i ${EXT1} -o ethWEB -p tcp -m
> multiport --dports 80,443 -m state --state NEW -j LOG --log-prefix
> "**NEW** IN NAS0 "

I've setup a log entry:

 $IPT -t mangle -A POSTROUTING -m state --state NEW -j LOG --log-prefix "T=mangle C=PSTR A=new L=warn "

and do some test, leaving logging flow for some minutes... all marking
goes well, no NEW packet got class '0'.


> FORWARD chain, the OUTPUT one can be much more challenging (for
> example having EXT1 as default gateway I have to ALLOW a specific
> traffic toward EXT1 even if I want it to go through EXT2, otherwise
> the system will not forge the packet).

I moved th marking from OUTPUT to postrouting; i've revamped my script
exactly to match more closely local-generated traffic from forward
traffic, so...


Anyway, very little changed: still a simple browser to a ''complex''
site like, you know, corriere.it or repubblica.it, stalls.


If i restore my old script, that use only POSTROUTING, all works
flawlessy.


And, i'm really angry, i don't understand why. ;-(((

-- 
dott. Marco Gaiarin				    GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it	  tel +39-0434-842711  fax +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
	   http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Bugtraq]     [Fedora Legacy]     [GCC Help]     [Yosemite News]     [Yosemite Photos]     [IP Tables]     [Netfilter Devel]     [Fedora Users]

Powered by Linux