problem marking 3_tier client packets with iptables

Joseph Mack mack.joseph at
Tue May 21 17:13:08 BST 2002

Sometimes LVS-DR realservers have clients which need
to connect to hosts on the internet, eg a squid realserver
needs to connect from RIP (not VIP) to 0/0:80. 
In my configure script, currently
I block all connections from RIP to 0/0.
I now want to let out all packets to 0/0:80 
say but to DROP or REJECT other packets from RIP to 0/0:!80. 

Horms suggested the following code (here shown connecting
from RIP to 0/0:telnet, since connecting with telnet is
easy to test)

#mark packet
iptables -t mangle -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport telnet -j MARK --set-mark 1

This marks the packets to 0/0:23. 
I can then route packets with fwmark 1,
and I get what I want. I want to extend this to 

o mark packets from RIP to multiple services on the internet
o DROP or REJECT the rest of the packets to 0/0

What I tried to do was to set up another chain (3_tier) and send all
allowed packets to it, to DROP the rest and mark all packets that
get to the 3_tier chain.

#create table
iptables -N 3_tier

#packets from the realserver to hosts on the internet are sent to another
#chain where they will be marked.
#here packets to 0/0:23 and 0/0:80 are sent to a new chain
iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport telnet -j 3_tier
iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport http -j 3_tier
. (other services)
#drop all other packets destined for 0/0
iptables -A OUTPUT -p tcp -s ${RIP}/32 -d ! ${RIP_NETWORK}/24 -j DROP
#fine so far. All the packets I want are sent to chain 3_tier, the rest are dropped
#Now mark packets sent to chain 3_tier
iptables -t mangle -A 3_tier -j MARK --set-mark 1

I get "No chain/target/match by that name"

If I leave out "-t mangle" I get an error at the console saying 
"MARK can only be called from mangle table"

Any suggestions anyone?

Thanks Joe

Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center, 
mailto:mack.joseph at ph# 919-541-0007, RTP, NC, USA

More information about the lvs-users mailing list