[问题求助]iptables打标记与IP策略使用mark的问题 [复制链接]

使用了SNAT，

iptables -t mangle -I PREROUTING -s 192.168..0.222 -p udp --dport 8000 -j MARK --set-.mark .100教育
ip rul.e add. fwmark 100 table net2[成人用品]

我.使用iptables 做的.标记被ip rule使用了后，全部客户都不能上网了。电脑
使用ip rule查看是这样.的了：            杀毒
from all lookup l.ocal.
from all look.up net2    美容
......
......

为什么不是"from all. fwmark 100 lookup nat2".这样的？            杀毒

在"Linux A.dvanced Routing & Traffic Control".第11章看到“IMPORTANT: We received a report that MASQ and SNAT at least collide with marking packets. Rusty Russell ex.plains it. in this posting. Turn off the reverse path filter to .make it work prope.rly.”说MASQ和SNAT功能与数据包标记有冲.突，请问是不是这个原因？怎么解决？虚拟主机
谢谢各位解答。

[ 本帖最后由 c.exoyq 于 2007-.11-16 01:29 编辑 ]投资

然后运行：
ip rule add fwmark 100 table NET2
再ip rule
[root@GateWay-xy003 nat]# ip rule
0:      from all lookup local
32594:  from all lookup NET2
32595:  from 192.168.0.222 lookup NET2
32596:  from 192.168.0.222 lookup NET2
32597:  from 192.168.0.174 lookup NET2
32598:  from 192.168.0.173 lookup NET2
32599:  from 192.168.0.171 lookup NET2
32600:  from 192.168.0.166 lookup NET2
32601:  from 192.168.0.165 lookup NET2
32602:  from 192.168.0.164 lookup NET2
32603:  from 192.168.0.156 lookup NET2
32604:  from 192.168.0.154 lookup NET2
32605:  from 192.168.0.151 lookup NET2
32606:  from 192.168.0.146 lookup NET2
32607:  from 192.168.0.144 lookup NET2
32608:  from 192.168.0.143 lookup NET2
32609:  from 192.168.0.142 lookup NET2
32610:  from 192.168.0.149 lookup NET2
32611:  from 192.168.0.141 lookup NET2
32612:  from 192.168.0.138 lookup NET2
32613:  from 192.168.0.134 lookup NET2
32614:  from 192.168.0.132 lookup NET2
32615:  from 192.168.0.133 lookup NET2
32616:  from 192.168.0.122 lookup NET2
32617:  from 192.168.0.113 lookup NET2
32618:  from 192.168.0.68 lookup NET1
32619:  from 192.168.0.66 lookup NET1
32620:  from 192.168.0.65 lookup NET1
32621:  from 192.168.0.64 lookup NET1
32622:  from 192.168.0.61 lookup NET1
32623:  from 192.168.0.58 lookup NET1
32624:  from 192.168.0.51 lookup NET1
32625:  from 192.168.0.47 lookup NET1
32626:  from 192.168.0.44 lookup NET1
32627:  from 192.168.0.42 lookup NET1
32628:  from 192.168.0.41 lookup NET1
32629:  from 192.168.0.38 lookup NET1
32630:  from 192.168.0.35 lookup NET1
32631:  from 192.168.0.33 lookup NET1
32632:  from 192.168.0.32 lookup NET1
32633:  from 192.168.0.31 lookup NET1
32634:  from 192.168.0.26 lookup NET1
32635:  from 192.168.0.16 lookup NET1
32636:  from 192.168.0.14 lookup NET1
32637:  from 192.168.0.12 lookup NET1
32638:  from 192.168.0.13 lookup NET1
32723:  from 192.168.0.200 lookup NET2
32766:  from all lookup main
32767:  from all lookup default

[root@GateWay-xy003 nat]# ip route list
192.168.0.222 dev ppp0  proto kernel  scope link  src 192.168.0.252
192.168.0.13 dev ppp6  proto kernel  scope link  src 192.168.0.252
192.168.0.31 dev ppp2  proto kernel  scope link  src 192.168.0.252
192.168.0.47 dev ppp4  proto kernel  scope link  src 192.168.0.252
192.168.0.133 dev ppp9  proto kernel  scope link  src 192.168.0.252
192.168.0.164 dev ppp1  proto kernel  scope link  src 192.168.0.252
192.168.0.144 dev ppp3  proto kernel  scope link  src 192.168.0.252
193.168.1.0/24 dev eth2  proto kernel  scope link  src 193.168.1.251
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.251
169.254.0.0/16 dev eth2  scope link
192.168.0.0/16 dev eth0  proto kernel  scope link  src 192.168.0.252
default via 193.168.1.1 dev eth2

[root@GateWay-xy003 nat]# ip route list table NET2
193.168.1.0/24 dev eth2  scope link  src 193.168.1.251
192.168.1.0/24 dev eth1  scope link  src 192.168.1.251
192.168.0.0/24 dev eth0  scope link  src 192.168.0.252
default via 192.168.1.1 dev eth1

# Generated by iptables-save v1.2.11 on Fri Nov 16 18:16:06 2007
*nat
:PREROUTING ACCEPT [223296:16308488]
:POSTROUTING ACCEPT [421:136471]
:OUTPUT ACCEPT [23202:1618956]
-A PREROUTING -i eth1 -p udp -m udp --dport 16882 -j DNAT --to-destination 192.168.0.200:16882
-A PREROUTING -i eth1 -p udp -m udp --dport 16881 -j DNAT --to-destination 192.168.0.110:16881
-A PREROUTING -i eth1 -p tcp -m tcp --dport 16882 -j DNAT --to-destination 192.168.0.200:16882
-A PREROUTING -i eth1 -p tcp -m tcp --dport 16881 -j DNAT --to-destination 192.168.0.110:16881
-A PREROUTING -d 192.168.0.252 -p udp -m udp --dport 27015 -j DNAT --to-destination 192.168.0.251:27015
-A PREROUTING -d 192.168.1.251 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.251:80
-A PREROUTING -d 192.168.0.252 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.252:80
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth2 -j SNAT --to-source 193.168.1.251
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.251
COMMIT
# Completed on Fri Nov 16 18:16:06 2007
# Generated by iptables-save v1.2.11 on Fri Nov 16 18:16:06 2007
*mangle
:PREROUTING ACCEPT [5386263:2989944906]
:INPUT ACCEPT [2243117:1606012702]
:FORWARD ACCEPT [3131644:1382885853]
:OUTPUT ACCEPT [2599856:1640118311]
:POSTROUTING ACCEPT [5620566:3014805935]
-A PREROUTING -s 192.168.0.222 -p tcp -m tcp --dport 80 -j MARK --set-mark 0x64
COMMIT
# Completed on Fri Nov 16 18:16:06 2007
# Generated by iptables-save v1.2.11 on Fri Nov 16 18:16:06 2007
*filter
:INPUT DROP [12991:1213065]
:FORWARD DROP [29427:1611239]
:OUTPUT ACCEPT [377022:205172034]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.110 -j ACCEPT
-A INPUT -s 192.168.0.200 -j ACCEPT
-A INPUT -s 192.168.0.252 -j ACCEPT
-A INPUT -s 192.168.0.251 -j ACCEPT
-A INPUT -s 202.103.24.68 -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 16881 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 16880 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 192.168.0.254 -p tcp -m tcp --dport 20:23 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 60001 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 47 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p udp -m udp --dport 27015:27025 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 137:139 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 60000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A FORWARD -s 192.168.0.222 -j ACCEPT
-A FORWARD -d 192.168.0.200 -p udp -m udp --dport 16882 -j ACCEPT
-A FORWARD -d 192.168.0.200 -p tcp -m tcp --dport 16882 -j ACCEPT
-A FORWARD -d 192.168.0.110 -p udp -m udp --dport 16881 -j ACCEPT
-A FORWARD -d 192.168.0.110 -p tcp -m tcp --dport 16881 -j ACCEPT
-A FORWARD -p udp -m udp --dport 8000 -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6020 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 7000:7009 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 29000 -j ACCEPT
-A FORWARD -d 218.1.72.85 -j ACCEPT
-A FORWARD -d 125.35.5.240 -p tcp -m tcp --dport 20008 -j ACCEPT
-A FORWARD -d 221.130.185.190 -p tcp -m tcp --dport 1212 -j ACCEPT
-A FORWARD -d 202.103.27.6 -p tcp -m tcp --dport 8002 -j ACCEPT
-A FORWARD -d 61.129.44.143 -j ACCEPT
-A FORWARD -d 218.249.71.250 -j ACCEPT
-A FORWARD -d 221.232.111.134 -j ACCEPT
-A FORWARD -d 219.133.48.92 -j ACCEPT
-A FORWARD -d 219.133.41.73 -j ACCEPT
-A FORWARD -d 219.133.40.130 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6667 -j ACCEPT
-A FORWARD -d 211.67.66.125 -j ACCEPT
-A FORWARD -d 211.67.66.126 -j ACCEPT
-A FORWARD -d 211.67.66.116 -j ACCEPT
-A FORWARD -d 218.249.71.250 -p tcp -m tcp --dport 20008 -j ACCEPT
-A FORWARD -d 60.190.139.103 -p tcp -m tcp --dport 11002 -j ACCEPT
-A FORWARD -d 60.190.139.102 -p tcp -m tcp --dport 11002 -j ACCEPT
-A FORWARD -d 60.192.139.108 -p tcp -m tcp --dport 11002 -j ACCEPT
-A FORWARD -d 222.73.13.171 -p tcp -m tcp --dport 11000 -j ACCEPT
-A FORWARD -d 60.190.139.105 -p tcp -m tcp --dport 11008 -j ACCEPT
-A FORWARD -d 60.190.139.104 -p tcp -m tcp --dport 11002 -j ACCEPT
-A FORWARD -d 60.190.139.107 -p tcp -m tcp --dport 11002 -j ACCEPT
-A FORWARD -d 222.73.13.172 -p tcp -m tcp --dport 11000 -j ACCEPT
-A FORWARD -d 222.218.156.26 -j ACCEPT
-A FORWARD -d 61.129.59.114 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 60.28.249.134 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 60.28.249.135 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 60.28.249.136 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 211.152.52.60 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 211.152.52.57 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 61.152.146.42 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 211.152.52.60 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 218.30.84.159 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 211.152.52.56 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 211.152.52.55 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 211.152.52.51 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 211.152.52.58 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6664 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6663 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6662 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6661 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5622 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 16666 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 554 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 554 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 110 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -d 61.172.204.124 -j ACCEPT
-A FORWARD -d 219.133.61.21 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 7788 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6628 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6299 -j ACCEPT
-A FORWARD -p udp -m udp --dport 27010:27025 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6112 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3724 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 8000 -j ACCEPT
-A FORWARD -p udp -m udp --dport 8000 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 1080 -j DROP
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -p udp -m udp --dport 110 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 23 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 60001 -j ACCEPT
-A OUTPUT -d 222.89.158.19 -j DROP
COMMIT
# Completed on Fri Nov 16 18:16:06 2007

[ 本帖最后由 cexoyq 于 2007-11-16 10:24 编辑 ]

帖
ip route list
ip route list table net2

iptables-save

ip rule list
看看。

谢谢版主。
但是我的为什么打了MARK的标记加到 IP策略中会出问题呢。
大概与什么参数有关？

MARK和SNAT/MASQUERADE同时用时没发现这个问题。