using fwmark routing rule on 2.2.x kernel

using fwmark routing rule on 2.2.x kernel

Post by Lukasz Enge » Fri, 21 Jul 2000 04:00:00

I have the problem:
I want to use routing based on some TCP protocol level data - it can be
theoretically done using "ip rule fwmark xxx" and corresponing ipchains
rule(s) (with -m option). In my case packets marked with "-m" option
shuold also be masqueraded.

My routing rules are:

ip ru add prio 100 lookup main
ip ru add prio 150 fwmark 1 lookup A
ip ru add prio 200 lookup B
ip ro flush table cache

both A and B tables contain one entry, let's say:
in A: 0/0 via a.b.c.d
in B: 0/0 via w.x.y.z

(a.b.c.d and w.x.y.z are connected to different router's interfaces)

I added the following ipchains rule (for simplicity condition here is
only destination host, but I need also some port-based conditions):

ipchains -A forward -d -m 1 -j MASQ

In this case packets to are masquraded (and rule counters
are incremented), but they are sent via w.x.y.z (_NOT_ a.b.c.d).

When I also added marking ipchains rule to input chain
(ipchains -A input -d -m 1 -j ACCEPT)
I can see (using tools like tcpdump) masquraded packets sent to via a.b.c.d, responses sent back from a.b.c.d to my router,
but router does not "demasqurade" them - originator receives nothing.
Packets are not rejected, just "anihilated" (??).

All tests were done from another host connected to third router's
interface (different than a.b.c.d and w.x.y.z are connected).
On router I have 2.2.16 kernel, all masqurading/routing options usefull
in that case are enabled (I think so).

Can anyone explain me the correct way using policy routing based on
fwmark ?
BTW: what is the order of interpreting input, forward, output chains and
routing rules during packet forwarding?


Lukasz Engel


1. ip rule with fwmark not working in 2.6.31?


I have a setup where I do policy routing based on a mangle-table with
ip rule fwmark. This worked until 2.6.30 with 2.6.31 ip rule does work
eg with a source address
ip rule from lookup 1
but not with
ip rule from all fwmark 0x01 lookup 1
The problem is, that the answer packets are dropped. I use CONNMARK in the
iptables rules. Anybody has an idea if there was a change from 2.6.30 to


Altersheimerstr. 1, 81545 Muenchen, Germany. Tel +49 89 69370185
"Captain, this ship will not survive the forming of the cosmos." B'Elana Torres

2. mp3 playing too slow, please help

3. kernel 2.2 route/arp tables


5. Routing and kernel 2.2.x

6. S3 Trio3D AGP 128 bit 4Mb

7. kernel 2.2-pre4 route problem

8. @home's advanced anti web server packet filtering

9. Routing via fwmark

10. TOS/FWMARK routing

11. for 2.2.x i386 Linux kernel DoS - Affects 2.2.x and probably 2.0.x

12. Upgrading kernel 2.2.x to 2.4.x and GLibc 2.1.3 to 2.2.x

13. using more than 8 ide devices on kernel version 2.2.*