using iptables CONNMARK match and target

[rajtcs]

I'm a iptables n00b

i'm trying to take advantage of connmark for bypassing rules for already established and related connections ( duh!!! )

i'm using only filter table... and also i'm not using "MARK" (or iproute to set any packet mark)

here is my sample table looks like

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:1636]
:cmchain - [0:0]
:mychain - [0:0]
:outchain - [0:0]
-A INPUT -m connmark ! --mark 0x0 -j ACCEPT
-A INPUT -j mychain
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j cmchain
-A OUTPUT -m connmark ! --mark 0x0 -j ACCEPT
-A OUTPUT -j outchain
-A cmchain -j CONNMARK --set-xmark 0x1/0xffffffff
-A cmchain -j ACCEPT
COMMIT


mychain contains inbound rules, while outchain contains outbound rules

in order to bypass mychain and outchain.... i've added "connmark" match prior to check connection mark... however i'm not getting desired results...

plz help in understanding where i'm going wrong
TIA

[Lazydog]

Not sure why you are making this so hard. ESTABLISHED and RELATED look in thier connection tracking BD and if it is there they do what ever the '-j' tells them to do.

So the first rull in your INPUT chain should be;

Code:

iptables -INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This will match all established connection and thus accept the incoming packets and bypass all other rules for incoming packets.

Take a look at this TUTORIAL for how things work.

[rajtcs]

i had tried this...
reason for not doing it is... i want pkt to traverse the inbound chain at least once.
so even with pkt belonging to established connection must go thro' inbound chain...

after that marking is done...

[Lazydog]

OK, rules in iptables are read from top to bottom.