PDA

View Full Version : [ubuntu] iptables packet marking - Stopped working after upgrading from 8.04 to 8.10



King DeaN
April 8th, 2009, 04:41 PM
I recently upgraded from 8.04 to 8.10 and my iptables marking has stopped working.

I've attached my iptables save but I've tested it just with the most basic of configurations such as marking every packet headed for my desktop to be routed through my wired internet connection.

I'm quite sure it's just the marking as iptables itself is running happily in my modules list and when I set the filter to deny all that indeed blocks everything.

The only other alternative is that the ip rule is not working correctly in picking up the marked packets and routing them correctly. Though ip rule itself is opperating correctly besides the actual packet marking part.

Here is my test setup

$ ip rule

0: from all lookup local
32764: from all fwmark 0x88 lookup WIFI
32765: from all fwmark 0x10 lookup WIRED

$ ip route show table WIFI

10.0.0.0/24 dev eth1 scope link
default dev wlan0 scope link

$ ip route show table WIRED

10.0.0.0/24 dev eth1 scope link
default dev eth0 scope link

ip tables

*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
# Completed on Wed Apr 8 22:19:05 2009
# Generated by iptables-save v1.4.0 on Wed Apr 8 22:19:05 2009
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -s 10.0.0.200 -j MARK --set-mark 0x10
COMMIT
# Completed on Wed Apr 8 22:19:05 2009
# Generated by iptables-save v1.4.0 on Wed Apr 8 22:19:05 2009
*filter
:INPUT ACCEPT [3660:1871258]
:FORWARD ACCEPT [65:4931]
:OUTPUT ACCEPT [5034:4438523]
COMMIT

This resulted in nothing which means either the marking is failing, the rules aren't working or the routing itself isn't working.

Changing the setup to:
$ ip rule

0: from all lookup local
32764: from all lookup WIFI
32765: from all fwmark 0x10 lookup WIRED

My desktop (10.0.0.200) ends up running off the WIFI completely so either the fwmark function in the ip rules is failing or the ip tables packet marking is failing.

I'm not sure which but my entire setup was running fine before I upgraded to 8.10, so if anyone has any ideas on what could have gone wrong that would be very helpful. Thanks

King DeaN
April 12th, 2009, 02:23 PM
Shameless Self Bump

Any Ideas Guys?

gdave
April 12th, 2009, 05:44 PM
marking is working in general for me in 8.10

try using the iptables LOG target to find out if your mark is persisting through the stack. something like


sudo iptables -A FORWARD -m mark --mark 0x10 -j LOG --log-prefix "forward: "
sudo iptables -A OUTPUT -m mark --mark 0x10 -j LOG --log-prefix "output: "
sudo iptables -t nat -A POSTROUTING -m mark --mark 0x10 -j LOG --log-prefix "postrouting: "

do this to prove to yourself that the mark is or isn't traversing the stack, and add variations of these to investigate further. if the mark is persisting, maybe there's an issue with the routing rules somewhere..?

King DeaN
April 14th, 2009, 03:47 AM
[removed by user (where is the delete button ay?)]

King DeaN
April 14th, 2009, 12:00 PM
marking is working in general for me in 8.10

try using the iptables LOG target to find out if your mark is persisting through the stack. something like


sudo iptables -A FORWARD -m mark --mark 0x10 -j LOG --log-prefix "forward: "
sudo iptables -A OUTPUT -m mark --mark 0x10 -j LOG --log-prefix "output: "
sudo iptables -t nat -A POSTROUTING -m mark --mark 0x10 -j LOG --log-prefix "postrouting: "

do this to prove to yourself that the mark is or isn't traversing the stack, and add variations of these to investigate further. if the mark is persisting, maybe there's an issue with the routing rules somewhere..?

I've set up those iptables settings above as well as ones on a few other areas.

On the settings above the marking does not make it to OUTPUT or POSTROUTING but I the FORWARD logs show the mark on the port 80 packets I tried to mark as shown below


Apr 14 20:48:51 melchior kernel: [ 7965.107743] forward: IN=eth1 OUT=eth0 SRC=10.0.0.197 DST=66.102.11.101 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=14039 DF PROTO=TCP SPT=2102 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0 MARK=0x10

The NAT PostRouting and the Filter Incoming also show the packets as marked


Apr 14 20:47:14 melchior kernel: [ 7868.409107] NATprerouting: IN=eth1 OUT= MAC=00:1b:21:2d:66:10:00:1d:7d:05:f8:11:08:00 SRC=10.0.0.200 DST=10.0.0.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=4717 DF PROTO=TCP SPT=57035 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x10



Apr 14 20:49:15 melchior kernel: [ 7989.137781] incoming: IN=eth1 OUT= MAC=00:1b:21:2d:66:10:00:1d:7d:05:f8:11:08:00 SRC=10.0.0.200 DST=10.0.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=11272 DF PROTO=TCP SPT=57035 DPT=80 WINDOW=63811 RES=0x00 ACK URGP=0 MARK=0x10


What could be causing my packets to lose their marks? There isn't anything else in my iptables setup as I've cleared out everything unneccessary.

Thanks for the help!