Join Log in
Score:0
sx5486510 avatar Server

iptables fwmark does't work,always route from default table

gn flag
sx5486510

The mangle table:

Chain OUTPUT (policy ACCEPT 9427K packets, 26G bytes)
 pkts bytes target     prot opt in     out     source               destination          
  19M   48G CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0xff00000
 7717  435K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00000 statistic mode random probability 0.50000000000 MARK xset 0x8100000/0xff00000
 7609  428K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00000 MARK xset 0x8000000/0xff00000          
  19M   48G MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK xset 0xa0000000/0xf0000000
  19M   48G CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xff00000

the nat table:

Chain POSTROUTING (policy ACCEPT 1552 packets, 85467 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   104 MASQUERADE  all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type LOCAL
    4   208 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0       
461K   26M MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0              ADDRTYPE match src-type LOCAL

ip rule:

0:  from all lookup local 
100:    from 192.168.0.0/24 lookup 9999 
198:    from ip1 lookup 10001 
199:    from ip2 lookup 10000 
200:    from all fwmark 0x8000000/0xff00000 lookup 10000 
200:    from all fwmark 0x8100000/0xff00000 lookup 10001 
32766:  from all lookup main 
32767:  from all lookup default

ip r

default dev ppp1 scope link 
default dev ppp0 scope link 
default via 192.168.0.1 dev eth0 
x.x.x.0/25 dev ppp0 proto kernel scope link src ip1 
x.x.x.0/25 dev ppp1 proto kernel scope link src ip2 
169.254.0.0/16 dev eth0 scope link metric 1002 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.107

ip r show table 10000:

default via x.x.x.1 dev ppp0

ip route get ip3:

ip3 dev ppp1 src x.x.x.x uid 0 
    cache

cat /etc/sysctl.conf:

net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.ip_forward = 1

it always route from default route table,instead of ppp0,ppp1,ppp0,ppp1. Any idea?

112
1 + 4
setenforce 1 avatar
us flag
setenforce 1
Did you try to `traceroute` instread? `ip route get` won't create a packet, so the packet won't have a mark, so unless you pass the mark as an option it wont match rule 200.
0
Reply
sx5486510 avatar
gn flag
sx5486510
@setenforce1 i ping 223.5.5.5 and check with conntrack -L,the mark is correct
0
Reply
setenforce 1 avatar
us flag
setenforce 1
By correct you mean 0x8100000 or 0x8000000? If so, your configuration is working then? Or you still have bad behaviour?
0
Reply
sx5486510 avatar
gn flag
sx5486510
yes,the mark is work,but the src is wrong: udp 17 9 src=ip1 dst=223.5.5.5 sport=52386 dport=53 src=223.5.5.5 dst=ip1 sport=53 dport=52386 mark=134217728 use=1 udp 17 20 src=ip1 dst=223.5.5.5 sport=59565 dport=53 src=223.5.5.5 dst=ip1 sport=53 dport=59565 mark=135266304 use=1. The source address of these two records should be different.
0
Reply
Score:0
setenforce 1 avatar Server
us flag
setenforce 1

You should start to be sure your routing tables are working with:

ip rule add to 1.1.1.1 table 10000
ping -c 3 1.1.1.1
ip rule del to 1.1.1.1 table 10000
ip rule add to 1.1.1.1 table 10001
ping -c 3 1.1.1.1
ip rule del to 1.1.1.1 table 10001

If they are not, you might need to add x.x.x.0/25 dev ppp0 proto kernel scope link src ip1 in table 10000 and x.x.x.0/25 dev ppp1 proto kernel scope link src ip2 in table 10002.

If they are, you can check if your rules are fine:

ip route get 223.5.5.5 mark 0x10000
ip route get 223.5.5.5 mark 0x10001

If they are not, you might need to change your rules until it can match the marking.

If they are, your marking with netfilter may be wrong, you would have to change it until the mark is the one you want.

+ 1
sx5486510 avatar
gn flag
sx5486510
rules are fine, in my case `ip route get 223.5.5.5 mark 0x8000000` or `ip route get 223.5.5.5 mark 0x8100000` i get `223.5.5.5 via gateway dev ppp0 table 10000 src ip1 mark 0x8000000 uid 0` and `223.5.5.5 via gateway dev ppp1 table 10001 src ip2 mark 0x8100000 uid 0`.looks ok
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.