My question is specific for iptables, not OpenWRT. The question is trivial: can IP be used in mangle table with -d, or -s options?
It is about targets, but what about -d, or -s?
My apologies, I actually didn't realize you were the OP. I have removed my response. I wish you well and hope someone can answer in a manner you desire.
user@machine:~$ sudo iptables -t mangle -A PREROUTING -d 8.8.8.8/32 -p tcp --dport 22 -j MARK --set-mark 2
user@machine:~$ sudo iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK tcp -- anywhere dns.google tcp dpt:ssh MARK set 0x2
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
user@machine:~$ sudo iptables -t mangle -D PREROUTING -d 8.8.8.8/32 -p tcp --dport 22 -j MARK --set-mark 2
user@machine:~$ sudo iptables -t mangle -A PREROUTING -s 8.8.8.8/32 -p tcp --dport 22 -j MARK --set-mark 2
user@machine:~$ sudo iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK tcp -- dns.google anywhere tcp dpt:ssh MARK set 0x2
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
(For anyone else who wants to know if it's possible, see output of a simple test on any machine with iptables.)
1 Like
As you wish. So does it work for PREROUTING chain?
I'm not sure if you're joking or not again...you did read the complete post above, correct???
You're really showing that you're unwilling to test, nor able to look at manuals generally available via web search; nor willing to look at postings that contain your answer.
It's also generally 
upon, to ask one question, then ask another unrelated one. The very weird thing is, that sometimes, your follow up question requires people to ignore that they posted your answers already!
- Nonetheless, your direct answer is here: https://en.wikipedia.org/wiki/Netfilter#/media/File:Netfilter-packet-flow.svg
- and already posted here
The problem is that specific rule in OUTPUT chain doesn't work, although output of iptables looks fine. So how do you suggest to test, whether your rule works?
I don't understand this, nor do I see a problem (yet).
- Are you having an issue with a rule?
- If so, can you please show it?
I don't understand your question or its basis. Are you having an actual issue with a mangle iptables rule?
If so, please provide that information in your next post - for someone to provide you assistance. Thanks.
OK.
iptables -t mangle -A VPR_OUTPUT -p tcp -m multiport --sports 22 !
-d 192.168.1.0/24 -m comment --comment Ssh-Wan2Lan -j MARK --set-xmark
0x10000/0xff0000
Now, can you explain your exact issue...?
As I already see some things...and I don't want to guess the obvious and evident problem here.
The rule appears incorrect:
- You claim it's an output rule
- Then the comment says
Wan2Lan - You have
! -d 192.168.1.0/24 - Do you see the problem?
In the process of explaining the exact issue, maybe you can also explain the situation where you believe this rule would be met; and why you created it in the first place?
Also, since this isn't an OpenWrt issue, perhaps you should ask in a forum more suited for iptables - if more in depth information is needed?
The rule works without '! -d 192.168.1.0/24', and has no influence with this option. The problem is that without option SSH connection from LAN doesn't work.
It likely does work without it, especially if your LAN happens to be 192.168.1.0/24.
???
You lost me...I have absolutely 0 clue what you mean. It works without...but has no influence with it??? (Is this some kinda vice versa statement? 
)
Please explain what you mean. I've never had to mangle a packet (using the table) to make a connection work...and I surmise most people do not...so can you take some time to thoroughly explain the use case?
As I noted already:
Please explain more in depth. Most people make a port forward rule for a connection from WAN to LAN...and no rule is needed for a SSH connection from LAN to WAN...so please try really hard this time to explain why you're making a mangle rule instead - and why it's needed in your use case.
Sorry, I'll explain, it is trivial. Router is running OpenVPN-client, so default route is via tun. Configuring access from WAN by SSH needs additional routing table via WAN, and marking packets. Policy-Based Routing by @stangri does it, appending the rule without '! -d 192.168.1.0/24' option. Connection from WAN by SSH works, but connection from LAN by SSH doesn't. So the idea is not to mark packets, being sent to LAN network.
Before I type something long again:
- why did you just mention OpenVPN...after six hours?
- to be clear, you are aware that the exclamation symbol in your syntax (
!) means "does not equal"?
This is what I expect; and you don't need to mark packets to LAN.
Anyways...
It woulda also been nice for you to mention OpenVPN before 6 hours had elapsed. I finally understand the use case is you're somehow trying to mark packets being FORWARDED from LAN to WAN - so that SSH connections to the router are via WAN and not over OpenVPN. Thanks for clarifying.
Perhaps you should ask @stangri.
OK, I've asked stangri already, and now I have just began with most common case. Yes, exclamation means negation, but with option -d, -s the rule is appended, but doesn't influence on connection by SSH.