@Julie Pelletier's answer is 100% correct, but probably not very understandable to you.
First, as mentioned several times in the comments, the mark is not put into the ethernet packet on the wire. So if you ping server B from server A, server B will not ever be able to detect the mark. If you want to do anything, you'll have to use server A alone. So, you'll have to insert/append a rule to the OUTPUT chain of the sender to see anything.
Now, let's see how to use iptables
. First, we want to see which rules are active in OUTPUT:
root@roran:~# iptables -L OUTPUT -n -v
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@roran:~#
Ok, no rules. Let's define a rule:
root@roran:~# iptables -I OUTPUT -m mark --mark 0xa -j ACCEPT
root@roran:~#
As you see, no output. But the kernel table has an entry now:
root@roran:~# iptables -L OUTPUT -n -v
Chain OUTPUT (policy ACCEPT 177 packets, 120K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xa
root@roran:~#
The columns "pkts" and "bytes" are both 0, as no packets have gone out yet. Now, ping a different server, without setting a mark:
root@roran:~# ping -c 1 bermuda
PING bermuda (192.168.178.2) 56(84) bytes of data.
64 bytes from bermuda (192.168.178.2): icmp_seq=1 ttl=64 time=0.331 ms
[... some more lines omitted]
After that, the kernel table still hasn't matched anything:
root@roran:~# iptables -L OUTPUT -n -v
Chain OUTPUT (policy ACCEPT 348 packets, 160K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xa
root@roran:~#
Next, try pinging with a mark set:
root@roran:~# ping -m 10 -c 1 bermuda
PING bermuda (192.168.178.2) 56(84) bytes of data.
64 bytes from bermuda (192.168.178.2): icmp_seq=1 ttl=64 time=0.324 ms
[... some more lines omitted]
and look at the table again:
root@roran:~# iptables -L OUTPUT -n -v
Chain OUTPUT (policy ACCEPT 631 packets, 319K bytes)
pkts bytes target prot opt in out source destination
1 84 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xa
root@roran:~#
Now, the rule has found one packet, which had 84 bytes.
If you want to experiment, after this, do iptables -F OUTPUT
to clear the table; iptables -I OUTPUT -m mark --mark 0x0a -j REJECT
to prevent marked packets from going out of your machine, then ping the other machine with and without mark. You'll see the marked packets not getting a reply, now, as the rule drops them.