Some Questions About "-Set-Xmark" in Iptables

iptables - remove packet mark on certain packets

I figured it out. I used the following:

iptables -t mangle -A PREROUTING -p tcp ! -s 192.168.0.47 --dport 443 -j MARK --set-mark 2

To mark it so it doesn't mark the host in the first place.

Lost package in iptables trace

So, the first problem was that I was blocked by rp_filter. Disabling that for that interface solved that issue. The packages did not, however, leave the machine. For that to work I had to set up a seperate routing table. All and all, it ended up in a script:

#!/bin/sh

WAN_IP=$(ifconfig eth0 | egrep -o 'addr:[0-9.]*' | cut -d ':' -f 2)
PUBLIC_IPS=$(iptables -t nat -L VSERVER | egrep '^DNAT' | egrep -o 'to:[0-9.]*' | cut -d ':' -f 2)
DEFAULT_ROUTE=$(ip route show | egrep -o '^default .* eth0 ')
LAN_ROUTE=$(ip route show | egrep ' br0 ')

echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

ip route add $DEFAULT_ROUTE table 200
ip route add $LAN_ROUTE table 200
ip rule add fwmark 0xb00b table 200

for IP in $PUBLIC_IPS ; do
  iptables -t mangle -I PREROUTING -m conntrack --ctstate DNAT -s "$IP" -i br0 -j CONNMARK --restore-mark
done

iptables -I FORWARD -o eth0 -m state --state NEW -j DROP
iptables -t nat -I PREROUTING -m mark --mark 0 -d "$WAN_IP" -i eth0 -j CONNMARK --set-mark 0xb00b
iptables -t nat -I VSERVER -m mark ! --mark 0xb00b -j VUPNP
iptables -t nat -A VUPNP -j CONNMARK -m mark --mark 0xb00b --set-mark 0
iptables -t mangle -I PREROUTING -m conntrack --ctstate DNAT -d "$WAN_IP" -i eth0 -j CONNMARK --restore-mark

The script searches through the VSERVER rules in the nat table and allows any host in it to be contacted via the VSERVER posts outside of the VPN connection.

The script also separates so that UPNP connections are open only to the VPN and VSERVER connections are open only to the public IP.

I hope this helps somebody else too.

Related Topics