Re: fail in the connmark load-balancing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Let me explain my post a bit :D

2012-03-02 22:24 keltezéssel, Usuário do Sistema írta:

iptables -t mangle -N MARKS
iptables -t mangle -A MARKS - RETURN -m mark ! --mark 0/3
If we have a mark (either 1 or 2 or 3) then we should just RETURN because we already set the mark...
iptables -t mangle -A MARKS -j MARK --set-mark 3/3 -m state --state
If the connection is already ESTABLISHED or it is RELATED to an another connetion then just mark it as 3.
iptables -t mangle -A MARKS -j MARK --set-mark 1/3 -m mark --mark 0/3
-m mode statistic --mode nth --every 2
Every 2nd. connection should be marked as 2.
iptables -t mangle -A MARKS -j MARK --set-mark 2/3 -m mark --mark 0/3
Every other connection is marked as 1.
sorry, but I did understand the mark x/y as you wrote above. why did
you use --set-mark 1 or --set-mark 2 ??
x is the mark, y is the mask...
0 -> not marked -> new or already establised but not marked (see mark 3)
1 -> new connection that should go out on interface 1.
2 -> new connection that should go out on interface 2.
3 -> any other but marked so we do not check again. (ESTABLISED, RELATED)
I think when it's use the mark x/y  y is an mask but I'dont know what
is the match ?!?! with someone has a doc about that please post here.
man iptables (MARK target):

       --set-mark value[/mask]
Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed.

I haven't done test yet with your suggested Swifty. I'll tell you when I do.


After reading my post I found out that my script can be fine tuned ... :D

In mangle/PREROUTING change these lines:
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -j MARKS

to this:
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -j MARK --set-mark 1/3 -m mark --mark 0/3 -i eth2 iptables -t mangle -A PREROUTING -j MARK --set-mark 2/3 -m mark --mark 0/3 -i eth0
iptables -t mangle -A PREROUTING -j MARKS

This modification ensures that any incoming connection (that either goes to the firewall or gets FORWARDED) should take the same interface as it came from.

To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux