iptables packet marking issue

[fixx]

Hey guys.

I have small issue with iptables. I have two rules, one that marks traffic destined for our own internal subnets and then one that redirects http traffic to the local proxy server on the server.

Now the problem is I want to excluded the marked packets from being redirected to the transparent proxy, but for some reason it doesn't work.

Here are the two rules:

iptables -t mangle -A PREROUTING -s $lan -d 172.0.0.0/8 -m mark --mark 10
iptables -t nat -A PREROUTING -s $lan -p tcp --dport 80 -m mark ! --mark 10 -j REDIRECT --to-ports 3128

Can someone please tell me what I am doing wrong?

Thanks

 

[Tinuva]

I am not sure if those rules are correct, but you are not actually marking packets.

Set mark:

${IPTABLES} -v -t mangle -A PREROUTING -s $lan -d 172.0.0.0/8 -j MARK --set-mark 10

Match mark: (or negative match as in your case)

${IPTABLES} -v -t nat -A PREROUTING -s $lan -p tcp --dport 80 -m mark ! --mark 10 -j REDIRECT --to-ports 3128

 

[fixx]

Ah yeh, ffs. Thanks. -j sets se action which wasn't there.

Thank you

 

[Tinuva]

Ah yeh, ffs. Thanks. -j sets se action which wasn't there.

Thank you

Was a pleasure. I remembering reading your old blog at one point, before I actually started working, was still a student back then.

 

[fixx]

Yeh, the blog is still up but I rarely post anything on it no a days.