firehol-mark man page

firehol-mark — mark traffic for traffic shaping tools


mark value chain rule-params


The mark helper command sets a mark on packets that can be matched by traffic shaping tools for controlling the traffic.


To set a mark on whole connections, see firehol-connmark(5). There is also a mark parameter which allows matching marks within individual rules (see firehol-params(5)).

The value is the mark value to set (a 32 bit integer).

The chain will be used to find traffic to mark. It can be any of the iptables(8) built in chains belonging to the mangle table. The chain names are: INPUT, FORWARD, OUTPUT, PREROUTING and POSTROUTING. The names are case-sensitive.

The rule-params define a set of rule parameters to match the traffic that is to be marked within the chosen chain. See firehol-params(5) for more details.

Any mark commands will affect all traffic matched. They must be declared before the first router or interface.


If you want to do policy based routing based on iptables(8) marks, you will need to disable the Root Path Filtering on the interfaces involved (rp_filter in sysctl).


# mark with 1, packets sent by the local machine
mark 1 OUTPUT

# mark with 2, packets routed by the local machine
mark 2 FORWARD

# mark with 3, packets routed by the local machine, sent from
#     destined for port TCP/25 of
mark 3 FORWARD proto tcp dport 25 dst src

See Also

firehol(1) - FireHOL program
firehol.conf(5) - FireHOL configuration
firehol-params(5) - optional rule parameters
firehol-connmark(5) - set a stateful mark on a connection
iptables(8) (…) - administration tool for IPv4 firewalls
ip6tables(8) (…) - administration tool for IPv6 firewalls
ip(8) - show / manipulate routing, devices, policy routing and tunnels
FireHOL Website (
FireHOL Online PDF Manual (
FireHOL Online HTML Manual (
Linux Advanced Routing & Traffic Control HOWTO (


FireHOL Team.

Referenced By

firehol-conf(5), firehol-connmark(5), firehol-params(5).

Built 15 Feb 2015 FireHOL Reference 2.0.1