linux drops packet when trying to route it - why?


I track packets using LOG targets for all chains of all tables and the last chain I see my packet in is the POSTROUTING chain of the mangle table:

mangle_PREROUTING: IN=eth0 OUT= MAC=00:16:3e:0f:01:00:00:16:3e:0f:02:00:08:00
SRC= DST= LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=60912 PROTO=ICMP
TYPE=0 CODE=0 ID=41230 SEQ=1

As off, I expected that packet to appear in FORWARD chain of the mangle table, but it never gets there. The only thing between these is the routing table.

# ip rule list
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

# ip route list
default via dev eth3 dev eth1  proto kernel  scope link  src dev eth2  proto kernel  scope link  src dev eth0  proto kernel  scope link  src dev eth3  proto kernel  scope link  src

So that packet should be routable via (That system can also ping

iptables (all chains ACCEPT) has only these rules (except for logging at the end):

-t raw -A PREROUTING -j MARK --set-xmark 0x0/0xffffffff
-t mangle -A PREROUTING -s -d -j MARK --set-xmark 0x1/0xffffffff
-t mangle -A PREROUTING -p esp -j MARK --set-xmark 0x1/0xffffffff

But those rules should not match: The destination is and it is not ESP...

Any hints?

Best regards, Steffen

asked on Super User May 20, 2012 by Steffen Heil

1 Answer


I think that your problem is the rp_filter. You have a packet with source that was received in the interface eth0. Your route table say the network is reached via eth3 (default route). I suppose that you don't have a typo.

If the problem is the rp_filter, packets are dropped before FORWARD.

rp_filter means "reverse path filter", usually enabled by default. Only the packets incomming from the right interface (acordding to the routes) are allowed.

sysctl -w net.ipv4.conf.all.rp_filter=0
answered on Super User May 21, 2012 by Diego Woitasen

User contributions licensed under CC BY-SA 3.0