Command-line utility to test fwmark in ip rule / ip route?

You can use the mark option in the 'ip route get' command. Also you can specify source-address and input and output intefaces in this command.

Examples:

ip route get 8.8.8.8 mark 0x20 - check the route of marked packets to 8.8.8.8 address.

ip route get 8.8.8.8 from 192.168.0.200 iif eth1 - check the route of forwarded packets from 192.168.0.200 host received through eth1 interface. In this case you should specify iif if the 'from' address isn't on this host (not local).

ip route get 8.8.8.8 from 192.168.0.100 iif eth1 mark 0x30 - like previous example, but with the mark specifying.

To test the path of packets through the netfilter rule set you can use the TRACE target and scapy to construct desired packets.


The technical name for the tooling you're looking for is a "packet crafter"

Specific product recommendations are off-topic for ServerFault but one such list with alternative tools to their own nping is maintained by the nmap project and can be found on http://SecTools.org/tag/packet-crafters/ and another is on Wikipedia.