Find the answer to your Linux question:
Results 1 to 2 of 2
Hi all. I want to limit bandwidth by using tc and iptables flowing: lartc.org/howto/lartc.cookboo...nat.intro.html I use commands: ... tc filter add dev eth0 parent 1: protocol ip prio 1 u32 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2011
    Posts
    4

    Applying iptables fw rules failed when using MARK target


    Hi all.
    I want to limit bandwidth by using tc and iptables flowing: lartc.org/howto/lartc.cookboo...nat.intro.html
    I use commands:
    ...
    tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst 192.168.68.0/24 flowid 1:1
    tc filter add dev eth0 parent 1: protocol ip prio 1 handle 9 fw flowid 1:1
    ...

    iptables -t nat -A POSTROUTING -s 192.168.68.0/24 -o eth0 -j SNAT --to-source 192.168.5.32
    iptables -t mangle -A PREROUTING -p tcp -j MARK --set-mark 0x9

    ...
    I try testing this system without iptables save, it works well.

    Then, i save iptables, it's OK. But i restart iptables, it's failed

    My iptables configuration:
    # Generated by iptables-save v1.4.0 on Fri May 20 09:38:45 2011
    *mangle
    :PREROUTING ACCEPT [449:39586]
    :INPUT ACCEPT [267:24250]
    :FORWARD ACCEPT [3:234]
    :OUTPUT ACCEPT [93:9734]
    :POSTROUTING ACCEPT [96:9968]
    [121:9364] -A PREROUTING -p tcp -j MARK --set-mark 0xffffffff00000009
    COMMIT
    # Completed on Fri May 20 09:38:45 2011
    # Generated by iptables-save v1.4.0 on Fri May 20 09:38:45 2011
    *nat
    :PREROUTING ACCEPT [3478:297455]
    :OUTPUT ACCEPT [3:213]
    :POSTROUTING ACCEPT [0:0]
    [36:2436] -A POSTROUTING -o eth0 -j MASQUERADE
    [10:632] -A POSTROUTING -s 192.168.68.0/24 -o eth0 -p tcp -j SNAT --to-source 10.0.9.2:1024-2037
    COMMIT
    # Completed on Fri May 20 09:38:45 2011
    # Generated by iptables-save v1.4.0 on Fri May 20 09:38:45 2011
    *filter
    :INPUT ACCEPT [25477:2154067]
    :FORWARD ACCEPT [2710:455845]
    :OUTPUT ACCEPT [18600:6343828]
    COMMIT
    restart iptables:
    Flushing firewall rules: [ OK ]
    Setting chains to policy ACCEPT: mangle [ OK ]
    Unloading iptables modules: [ OK ]
    Applying iptables firewall rules: iptables-restore: line 9 failed
    [FAILED]
    line 9 it contain COMMIT.
    line 8 it contain:
    -A PREROUTING -p tcp -j MARK --set-mark 0xffffffff00000009

    i think there is the error in line 8. So, I delete line 8 in iptables file. Restart, it's OK, no error.
    Of course, it can't mark packets and system can't run well as I expect.

    What can i do to fix this error?

    Thanks all.

    PS: sr, my English is not OK.

  2. #2
    Just Joined!
    Join Date
    Sep 2007
    Location
    Silver Spring, MD
    Posts
    95

    Questions about iptables mangle function

    Quote Originally Posted by nnes View Post
    Hi all.
    I want to limit bandwidth by using tc and iptables flowing: lartc.org/howto/lartc.cookboo...nat.intro.html
    I use commands:


    I try testing this system without iptables save, it works well.

    Then, i save iptables, it's OK. But i restart iptables, it's failed

    My iptables configuration:


    restart iptables:


    line 9 it contain COMMIT.
    line 8 it contain:
    -A PREROUTING -p tcp -j MARK --set-mark 0xffffffff00000009

    i think there is the error in line 8. So, I delete line 8 in iptables file. Restart, it's OK, no error.
    Of course, it can't mark packets and system can't run well as I expect.

    What can i do to fix this error?

    Thanks all.

    PS: sr, my English is not OK.
    ===============

    When I tried to run the command in line 9 it gives me this error:

    iptables v1.4.10: MARK: Bad value for "--set-xmark/--set-mark" option: "0xffffffff00000009"

    The decimal value for this number is 1844674409414584000, is there something in particular you are looking for, when I looked on the web for this number, it referred to malware

    You might want to try the following:

    iptables -t nat -A PREROUTING -p tcp -t mangle -m mark --mark 0x9

    Because when I run this command

    iptables -t nat -A PREROUTING -p tcp -t mangle -m mark --mark ffffffff00000009
    iptables v1.4.10: mark: Bad value for "--mark" option: "ffffffff00000009"

    It seems the value is a bad value, is there something else you can use or is there a reason why you need this value.

    Please advise.

    Todd

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •