Iptables – mark match and connmark match in single iptable rule

iptables

I want to add connmark match with mark match in single iptable rule. I can add these rules individually,

iptables -t mangle -I INPUT -j ACCEPT -i eth2 -m connmark --mark 0x1/0xf
iptables -t mangle -I INPUT -j ACCEPT -i eth2 -m mark --mark 0x1/0xf

But while adding below rule, it throws error.

iptables -t mangle -I INPUT -j ACCEPT -i eth2 -m mark --mark 0x1/0xf -m connmark --mark 0x1/0xf

Error: iptables v1.4.7: mark: "--mark" option may only be specified once
Try `iptables -h' or 'iptables --help' for more information.

Is this supported in iptables? Or I'm doing something wrong?

Best Answer

Sorry guys for trouble. I've found solution for this case. It has been fixed in 1.4.8.

http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.8.txt

Related Solutions

Linux – Marking packets with iptables with a NAT

I think that you should use the POSTROUTING mangle table since you are marking the packets in the PREROUTING before the NAT engine.

Have a look at the IPTABLE Chain :

IPTABLES CHAIN DRAWING

Linux – iptables to block VPN-traffic if not through tun0

Just add default low priority route for marked packets

ip rule add fwmark 42 table no.out
ip route add blackhole 0.0.0.0 metric 100 table no.out

and than, establishing new vpn connection should setup route for the same Mark, but using lower metric.

Related Topic