* how to mark a prerouting package so it will go through my ip route rule
@ 2021-10-31 19:24 Jelle de Jong
2021-10-31 20:43 ` Jelle de Jong
0 siblings, 1 reply; 2+ messages in thread
From: Jelle de Jong @ 2021-10-31 19:24 UTC (permalink / raw)
To: netfilter
Hello everybody,
I got the problem that I got multiple interfaces and routing and I got a
nat subnet and the packages coming back from the nat network go trough
my default routing table instead of one for the interface the package
entered the nftable, so I need to have a way to have the package coming
back in from the nat network to be marked.
I found the following wiki page and tried the following:
https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation
# ip rule show from all fwmark 0x1 lookup 100
32762: from all fwmark 0x1 lookup 100
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
iifname "enp8s0" ip daddr 123.45.67.89 icmp type echo-request mark set
0x00000001 ct mark set mark dnat to 192.168.25.25
}
chain postrouting {
}
}
But the icmp reply coming back from 192.168.25.25 is not being picked
by my ip rule fwmark.
Can somebody give me an example how to track prerouting nat with an
fwmark for ip rule?
Kind regards,
Jelle de Jong
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: how to mark a prerouting package so it will go through my ip route rule
2021-10-31 19:24 how to mark a prerouting package so it will go through my ip route rule Jelle de Jong
@ 2021-10-31 20:43 ` Jelle de Jong
0 siblings, 0 replies; 2+ messages in thread
From: Jelle de Jong @ 2021-10-31 20:43 UTC (permalink / raw)
To: netfilter
On 10/31/21 8:24 PM, Jelle de Jong wrote:
> Hello everybody,
>
> I got the problem that I got multiple interfaces and routing and I got a
> nat subnet and the packages coming back from the nat network go trough
> my default routing table instead of one for the interface the package
> entered the nftable, so I need to have a way to have the package coming
> back in from the nat network to be marked.
>
> I found the following wiki page and tried the following:
> https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation
>
>
> # ip rule show from all fwmark 0x1 lookup 100
> 32762: from all fwmark 0x1 lookup 100
>
> table ip nat {
> chain prerouting {
> type nat hook prerouting priority 0; policy accept;
> iifname "enp8s0" ip daddr 123.45.67.89 icmp type echo-request
> mark set 0x00000001 ct mark set mark dnat to 192.168.25.25
> }
> chain postrouting {
> }
> }
>
> But the icmp reply coming back from 192.168.25.25 is not being picked by
> my ip rule fwmark.
>
> Can somebody give me an example how to track prerouting nat with an
> fwmark for ip rule?
I managed to get the following working!!
# ip rule show from all fwmark 0x1 lookup 100
32762: from all fwmark 0x1 lookup 100
table ip mangle {
chain prerouting {
type filter hook prerouting priority -150; policy accept;
counter meta mark set ct mark
mark != 0x0 counter accept
iifname "enp8s0" ip daddr 185.40.94.87 counter meta
mark set 0x1
}
chain postrouting {
type filter hook postrouting priority -150; policy accept;
counter ct mark set mark
}
}
Is this the most optimal way of configuring this?
Kind regards,
Jelle de Jong
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-10-31 20:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-31 19:24 how to mark a prerouting package so it will go through my ip route rule Jelle de Jong
2021-10-31 20:43 ` Jelle de Jong
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.