I'm trying to use iptables to mark incoming packets based on the device where those packets arrived (rather than their originating IP address or port etc), but haven't found a way of getting this to work.
Specifically, I can set up a filter that counts every incoming packet (and that works ok):
iptables -F -t mangle
iptables -A PREROUTING -t mangle -j MARK --set-mark 1
iptables -nvL
Chain PREROUTING (policy ACCEPT 185 packets, 41507 bytes)
pkts bytes target prot opt in out source destination
185 41507 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
However, a filter to catch only packets from eth2 never seems to get triggered (even though that's precisely where all the traffic is coming from):
iptables -F -t mangle
iptables -A PREROUTING -t mangle -i eth2 -j MARK --set-mark 1
iptables -nvL
Chain PREROUTING (policy ACCEPT 101 packets, 19288 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
From online howtos etc, it seems that this behaviour may well be a logical consequence of the way iptables works: and that to get round this, people tried using IMQ (before IMQ got dropped): and then moved on to using IFB instead. But there the documentation trail seemed to go stone cold.
So my question is this: if using IFB is the right way of getting round this issue, what would the equivalent IFB way of marking incoming traffic by device look like?
Alternatively, is there a way of classifying traffic coming in over a given interface as one of a set of different realms? e.g. eth0 --> realm_10, eth1 --> realm_11, etc. This approach seems like it also ought to work, but I (again) haven't yet found any practical documentation for this either.
