iptables - remove packet mark on certain packets

Question

I am using the following iptables script to redirect packets on port 443 to a proxy server:

iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 2

I am redirecting it to my proxy server later on, which is working. For one host, however, I need to remove the iptables mark (i.e. the packets will not be redirected.) I tried the following:

iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.47 --dport 443 -j ACCEPT

I have also tried (attempting to rewrite the mark to a different number):

iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.47 --dport 443 -j MARK --set-mark 1

However none of them are working. Is there a --remove-mark? I couldn't find anything on Google.

Any help would be appreciated.

Answer 1

When using the MARK target, the mark is a added as a bitmask. If you check in the documentation, there's an optional [/mask] for the mark.

So use "--set-mark 0/2" to remove 2.