When you want to mark a packet in iptables
, you would generally add the following line to your firewall script:
iptables -t mangle -A POSTROUTING -p tcp -m multiport --dports 80,443 -j MARK --set-mark 2
I know this subject is a little bit complicated, but let's focus just on the single rule. When you add something like the one above, in the /proc/net/nf_conntrack
file some entries will have the mark set:
ipv4 2 tcp 6 3706 ESTABLISHED ... mark=2
The problem with the rule is that when you add another rule that matches, for instance source or destination address and set another mark, the previous mark will be rewritten to something you set. But there are some ways to "add" the marks. So if one rule set mark=2
and another rule set mark=5
, then the resulting mark will be mark=7
, or something like that.
I have one working example based on mwan3 , but I don't really get it. I know what the mangle
table looks like after starting the tool, and what rules were added:
So to understand the mechanism, I have to know what actually happens to the arriving packet. But in this example, the marking rules are different.
We have two different WAN interfaces. Based on the marks, the packets will go to different routing tables. So what actually happens to a packet that is destined to port 443 and, for example, to port 1000? Could anyone help me analyze the rules?
Best Answer
The target "-j MARK --set-mark 2" will set the mark 2 on the packet, whatever the previous value was. If you want to avoid your mark to be erased, you can simply end the packet path in the chain with -j ACCEPT. For example :
Although, you have to take care if you are in the main chain (eg. POSTROUTING) or in a custom chain: ACCEPT will end the main chain, while RETURN will end the current chain. It depends on your needs.
About the mwan3 example, it is quite hard to be sure without the filter, nat, and raw table, and without tc configuration.
However, it looks like this:
So 40% of http(s) traffic will go through lte, 60% through cable, and everything else through cable.
If your goal is to loadbalance connections on your 2 ISP, you should probably write your own iptables rules from scratch, since mwan3 ones are hard to read.
You could start with this question.
Good luck !
Edition:
The documentation states:
If you have a 0x100 mark, and try to set xmark 0x200/0xff00:
If you have a 0x100 mark, and try to set xmark 0x200/0xf000:
If you have a 0x100 mark, and try to set xmark 0x100/0xf000:
If you have a 0x100 mark, and try to set xmark 0x100/0xff00:
In the mwan3 file the case is always this one:
Now, let's go through the chains:
In the end, we have 3 states:
Since we haven't the ip rule, we can only guess: