How to drop connmark packets no equal to specifiic mark?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Fri Jun 09, 2023 13:30    Post subject: How to drop connmark packets no equal to specifiic mark? Reply with quote
This isn't specific to DD-WRT. The following IPTables-based PBR rules stop all forwarding for brX interface because of the last rule:
iptables -t mangle -A PREROUTING -i brX -s X.X.X.X -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i brX -s X.X.X.X -j CONNMARK --save-mark
iptables -t mangle -A FORWARD -i brX -s X.X.X.X -m connmark --mark 12 -j CONNMARK --restore-mark
iptables -t mangle -A FORWARD -i brX -s X.X.X.X -m connmark ! --mark 12 -j DROP

The last rule is supposed to drop packets that do not have mark 12, but that stops all forwarding. Why? Is there another way to write a rule that does the same without breaking forwarding? I want to allow forwarding only to brX packets that have mark 12 from PREROTUING.
Sponsor
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Sun Jun 11, 2023 16:42    Post subject: Re: How to drop connmark packets no equal to specifiic mark? Reply with quote
Bump!
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sun Jun 11, 2023 17:31    Post subject: Reply with quote
try this way

iptables -t mangle -A FORWARD -i brX ! -s X.X.X.X -m connmark --mark 12 -j DROP

(not bad to tell us router model and current firmware number)

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum