thr3ads.net - LARTC - conntrack match failed, packets not FWMarked [Nov 2005]

If this information is useful, please help other people find it:
Share via:

Benoit DELAGARDE

2005-Nov-28 09:22 UTC

conntrack match failed, packets not FWMarked

Hi all,

I have 2 ISPs on a Linux router and a local network with one Linux server
and many windows.
The local network is masqueraded.

I want to give access to port 25 and 80 of my server from any incoming
request (i.e. from my 2 ISP). I have made a DNAT translation, witch work but
the outgoing answers are not routed correctly. Of course, the de-SNAT
process is done before the routing process. So all packet follow the default
route.

I look for solutions on the LARTC mailing-list archive, on the LARTC
documentation, on Google, and anywhere I know, but all the solutions I found
won''t work. 
Based on the LARTC 2 ISP sample (Chapter 4.2), I try to mark my package to
be correctly routed (via a FWMARK), without success. But everything I read
tell me this should work.

Here are my rules (from iptables-save): 
*mangle
:PREROUTING ACCEPT [529944:316988323]
:INPUT ACCEPT [374208:35129218]
:FORWARD ACCEPT [4225914:2972153716]
:OUTPUT ACCEPT [147094:14149367]
:POSTROUTING ACCEPT [4855993:3030201798]
-A PREROUTING -m conntrack --ctorigdst IP_OF_PPP0 -j MARK --set-mark 0x1
-A PREROUTING -m conntrack --ctorigdst IP_OF_PPP1 -j MARK --set-mark 0x2
-A PREROUTING -m connmark --mark 0x1 -j LOG --log-prefix "FWMARK1"
COMMIT
# Completed on Mon Nov 28 09:53:06 2005
# Generated by iptables-save v1.2.11 on Mon Nov 28 09:53:06 2005
*nat
:PREROUTING ACCEPT [7696:835113]
:POSTROUTING ACCEPT [29406:2303772]
:OUTPUT ACCEPT [24589:1956035]
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 80 -j DNAT --to-destination
192.168.1.4:80
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
192.168.1.4:80
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 25 -j DNAT --to-destination
192.168.1.4:25
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j DNAT --to-destination
192.168.1.4:25
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE
COMMIT


I also have routing table but the line -A PREROUTING -m connmark --mark 0x1
-j LOG --log-prefix "FWMARK1" don''t give me any result!!!!
Nothing is
logged! My packets are not marked. Why?

I am on a DEBIAN Stable with a KERNEL 2.6.14.2 (hand made with make-kpkg)
and the default iptables (v1.2.11) and iproute2 (iproute2-ss041019) 

Does any one have an idea? (or more ;-) )

LARTC - Nov 2005 - conntrack match failed, packets not FWMarked

conntrack match failed, packets not FWMarked

Reasonably Related Threads

Wisdom of the Ancients