1

I have configured multiple routing tables and iptables rules to manage traffic, but I am facing an issue where the first marked packet is not routed correctly according to the specified table. However, subsequent packets work as expected. This is my setup:

Routing Tables:

$ sudo ip route show table table-1 192.168.100.0/24 dev table-1 scope link $ sudo ip route show table table-2 192.168.100.0/24 dev table-2 scope link

IP Rules:

$ sudo ip rule 0: from all lookup local 32756: from all fwmark 0x2 lookup table-1 32757: from all fwmark 0x1 lookup table-2 32766: from all lookup main 32767: from all lookup default

iptables Rules:

$ sudo iptables -L # Warning: iptables-legacy tables present, use iptables-legacy to see them Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination $ sudo iptables -t nat -L -v # Warning: iptables-legacy tables present, use iptables-legacy to see them Chain PREROUTING (policy ACCEPT 408K packets, 36M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 408K packets, 36M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 29989 packets, 3272K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 30089 packets, 3287K bytes) pkts bytes target prot opt in out source destination 1 68 MASQUERADE all -- any table-2 anywhere anywhere 0 0 MASQUERADE all -- any table-1 anywhere anywhere

iptables Marking Rules:

$ sudo iptables -t mangle -A PREROUTING -d 192.168.100.1 -p udp --dport 1234 -j MARK --set-mark 1 $ sudo iptables -t mangle -A PREROUTING -d 192.168.100.1 -p udp --dport 1234 -m string --algo kmp --hex-string "|0a 0a 0a ba|" --from 36 --to 40 -j MARK --set-mark 2

The second iptables rule works for subsequent packets but not for the first marked packet. Even though the first packet gets correctly marked (I have logged it and checked it), it is not forwarded to the expected output interface according to the routing tables (I have sniffed the interfaces). For the second packet and beyond, everything works as expected.

I'm unsure if there's a delay or ordering issue with how the fwmark-based routing interacts with the marking rules. I believe the first packet might be getting intercepted or misrouted by another rule before it reaches the routing decision based on the mark.

Improve this question

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.