MARK

MARK

• MARK associates "marks" with packets.

• CONNMARK associates "marks" with connections.

16 hex a 0x1000 make => in dmesg => mark=4096 =>

The second one is useful because you can mark all the packets of a connection or related to a connection with the same mark (for example, FTP). Another usefull use of CONNMARK is that you can mark packets using the criteria that only matches with the first packet.

Ex:

Create the packet filter rules that will mark the connections to be sent to SCB using the CONNMARK feature of iptables. Mark only those connections that must be redirected to SCB(Shell Control Box).

iptables -t mangle -I PREROUTING -i -p tcp -d --dport -j CONNMARK --set-mark 1

iptables -t mangle -I PREROUTING -i eth0 -p tcp -d 10.0.0.0/24 --dport 3389 -j CONNMARK --set-mark 1

iptables -t mangle -I PREROUTING -i -p tcp -s --sport -j CONNMARK --set-mark 1

Convert the CONNMARK marks to MARK: iptables -t mangle -A PREROUTING ! -i -m connmark --mark 1 -j MARK --set-mark 1

Traffic 被打mark 之後會準備要被routing 出去

1. 先加routing

/sbin/ip route add default via table scb

1. 再來就是在ip rule 上加 rule (哪個mark要參照哪個routing table)

/sbin/ip route add default via table scb