Marking and Mangling for QoS

Marking and Mangling for QoS

[COUSIN Marc]

Hi,
I'm having trouve using mangling on NATed packets:

Here's what we're trying to do:
We're trying to build a system to test the behaviour of our web applications
with slow links. For that, we decided to use the Linux QoS, and SNAT+DNAT to
redirect the packets from the linux system to the webserver. The idea behind
this is that someone contacting the linux on the 8081 port will be
transparently redirected to the 8080 of the real web server, simulating a
56k modem. on the 8082 port, it could be a 128 link, etc ...

The system is a Redhat 7.3

To create this, I used:
- DNAT and SNAT rules to redirect the packets from my port to the web
server, and SNAT the packet (so that it is returned to me and i can shape it
too) [these are OK]
- a QoS script (simple, using fwmarks) [ok too]
- And I wanted to mangle the packets to put the marks on the NATed pakets
[here comes the trouble]
I'll continue on the above example :

# For the NAT
iptables -t nat -A PREROUTING -p tcp --destination-port 8081:8090 -j DNAT
--to-destination 89.131.0.7:8080
iptables -t nat -A POSTROUTING -p tcp --destination 89.131.0.7 -j SNAT
--to-source 89.131.0.58
# For the marks
iptables -A PREROUTING -t mangle -p tcp --destination-port 8081 -j MARK
--set-mark 10 
iptables -A POSTROUTING -t mangle -p tcp --source-port 8081 -j MARK
--set-mark 11 # Trying to match the return NATed packet


The --set-mark 10 works (no surprise, very simple rule in fact)
the --set-mark 11 doesn't match. It may be normal, as I'm trying to match a
return packet on a NAT connexion. How am I supposed to match the return
packet in such a situation ?

Thanks fof helping

Re: Marking and Mangling for QoS

[Unknown, Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 2073 bytes --]

On Mon, 2002-11-25 at 12:24, COUSIN Marc wrote:
> Hi,
> I'm having trouve using mangling on NATed packets:
> 
> Here's what we're trying to do:
> We're trying to build a system to test the behaviour of our web applications
> with slow links. For that, we decided to use the Linux QoS, and SNAT+DNAT to
> redirect the packets from the linux system to the webserver. The idea behind
> this is that someone contacting the linux on the 8081 port will be
> transparently redirected to the 8080 of the real web server, simulating a
> 56k modem. on the 8082 port, it could be a 128 link, etc ...
> 
> The system is a Redhat 7.3
> 
> To create this, I used:
> - DNAT and SNAT rules to redirect the packets from my port to the web
> server, and SNAT the packet (so that it is returned to me and i can shape it
> too) [these are OK]
> - a QoS script (simple, using fwmarks) [ok too]
> - And I wanted to mangle the packets to put the marks on the NATed pakets
> [here comes the trouble]
> I'll continue on the above example :
> 
> # For the NAT
> iptables -t nat -A PREROUTING -p tcp --destination-port 8081:8090 -j DNAT
> --to-destination 89.131.0.7:8080
> iptables -t nat -A POSTROUTING -p tcp --destination 89.131.0.7 -j SNAT
> --to-source 89.131.0.58
> # For the marks
> iptables -A PREROUTING -t mangle -p tcp --destination-port 8081 -j MARK
> --set-mark 10 
> iptables -A POSTROUTING -t mangle -p tcp --source-port 8081 -j MARK
> --set-mark 11 # Trying to match the return NATed packet
> 
> 
> The --set-mark 10 works (no surprise, very simple rule in fact)
> the --set-mark 11 doesn't match. It may be normal, as I'm trying to match a
> return packet on a NAT connexion. How am I supposed to match the return
> packet in such a situation ?
> 
The return packets (AFAIK) are part of the original PREROUTING rule, and
therefore will not be matched by the POSTROUTING rule which will be
matched by traffic originating from your webserver (and not RELATED to
another connection).

Hope this helps ...

Ray
> Thanks fof helping
-- 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

router protection with iptables

[Remus]

Hi folks,

I have small router on Linux box.
It has two NICs and I use it to route real IP addresses (basicly I use it to
replace CISCO router, it is cheaper :-) )
I have a command echo 1 > /proc/sys/net/ipv4/ip_forward and everything works
just fine.

I'm wondering about iptables rules which I can use to protect my router from
hackers.
I want all IP/UDP/ICMP packets to go trought my router in both ways, just to
protect my router.
Behind the router I have Firewalls and they do a protection job for my www,
mail and local network.

What you can recomend for me?

Thank you

Remus

Re: Marking and Mangling for QoS

[Joel Newkirk]

On Monday 25 November 2002 05:24 am, COUSIN Marc wrote:
> Hi,
> I'm having trouve using mangling on NATed packets:

> # For the NAT
> iptables -t nat -A PREROUTING -p tcp --destination-port 8081:8090 -j DNAT
> --to-destination 89.131.0.7:8080
> iptables -t nat -A POSTROUTING -p tcp --destination 89.131.0.7 -j SNAT
> --to-source 89.131.0.58
> # For the marks
> iptables -A PREROUTING -t mangle -p tcp --destination-port 8081 -j MARK
> --set-mark 10
> iptables -A POSTROUTING -t mangle -p tcp --source-port 8081 -j MARK
> --set-mark 11 # Trying to match the return NATed packet
>
>
> The --set-mark 10 works (no surprise, very simple rule in fact)
> the --set-mark 11 doesn't match. It may be normal, as I'm trying to match a
> return packet on a NAT connexion. How am I supposed to match the return
> packet in such a situation ?

Try putting it in PREROUTING instead of POSTROUTING.  PREROUTING is for 
packets as they enter the firewall, regardless of the direction they are 
travelling.  POSTROUTING is just before it leaves the firewall.  

j

Re: router protection with iptables

[Joel Newkirk]

On Monday 25 November 2002 05:45 am, Remus wrote:
> Hi folks,
>
> I have small router on Linux box.
> It has two NICs and I use it to route real IP addresses (basicly I use it
> to replace CISCO router, it is cheaper :-) )
> I have a command echo 1 > /proc/sys/net/ipv4/ip_forward and everything
> works just fine.
>
> I'm wondering about iptables rules which I can use to protect my router
> from hackers.
> I want all IP/UDP/ICMP packets to go trought my router in both ways, just
> to protect my router.
> Behind the router I have Firewalls and they do a protection job for my www,
> mail and local network.
>
> What you can recomend for me?

/sbin/iptables -p INPUT DROP
/sbin/iptables -p OUTPUT DROP

Is a damned good start.  If nothing gets in, and nothing gets out, it's almost 
not there.  As long as ip_forward is enabled, and you have rules in the 
FORWARD chain to allow desired traffic to be forwarded, you're set.  You will 
only be able to access the firewall machine itself locally.  If you really 
want/need remote admin ability, add ACCEPT rules to INPUT chain for the 
connections you want to allow, being as specific as possible, (IE, only allow 
very limited protocol/port access from local network, or specific select 
IP's, etc) but if you can deal with local logon only then just DROP 
everything at INPUT and be done.

As an example, my config allows webmin access (on a non-standard port) and a 
few others, but ONLY from certain specified IP's, all others are silently 
DROPped.  And all accesses, whether dropped or accepted, are logged.  As 
further security, only localhost or one local IP are normally granted access 
(still requiring authentication), the others are invoked/revoked manually 
(locally) when I anticipate needing them, by passing parameters to my 
firewall script.  (currently recognizing 17 commands)  If I desperately need 
remote access when away and haven't anticipated it, I'm screwed, but I accept 
that.

I'd recommend -p FORWARD DROP as well, then ACCEPT rules for the traffic you 
actually want it to forward.  As long as they're configured properly, an 
extra firewall never hurts...

j