Re: how to match connection tracker's flows?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Leblond <eric@inl.fr>
To: Abraham van der Merwe <abz@frogfoot.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: how to match connection tracker's flows?
Date: Thu, 04 Nov 2004 10:26:28 +0100	[thread overview]
Message-ID: <1099560388.4320.6.camel@porky> (raw)
In-Reply-To: <20041104084658.GA14605@oasis.frogfoot.net>

[-- Attachment #1: Type: text/plain, Size: 3613 bytes --]

On Thu, 2004-11-04 at 10:46 +0200, Abraham van der Merwe wrote:
> Hi Eric                                          >@2004.11.03_21:07:48_+0200
> 

> Ok, sorry I didn't paste the real commands. It is actually:
> 
> # rules to send all traffic to user-defined chain
> iptables -t mangle -N TRACK
> iptables -t mangle -A POSTROUTING -j TRACK
> 
> # a rule to see how much ftp traffic is matched
> iptables -t mangle -A POSTROUTING -m mark --mark 2
> 
> # rules to track ftp
> iptables -t mangle -A TRACK -p tcp -j CONNMARK --restore-mark
> iptables -t mangle -A TRACK -p tcp -m mark ! --mark 0 -j RETURN
> iptables -t mangle -A TRACK -p tcp --dport 21 -j MARK --set-mark 2
> iptables -t mangle -A TRACK -j CONNMARK --save-mark
> 
> In other words, it returns from a user-defined chain and the mark is in the
> top level chain and will always be matched.

ok

> With above, it doesn't match all the ftp traffic. It definitely matches
> some, but I think it is just the port 21 traffic, not the port 20 (ftp-data)
> stuff which should be picked up by the connection tracking.

I just slightly modify my configuration to check if traffic to port 20
was matched. This is the case. Here's my configuration :

# We restore mark at entry
iptables -A PREROUTING -t mangle -m mark --mark 0x0 -j CONNMARK --restore-mark
# We mark new connection
# FORWARD traffic
iptables -A FORWARD -t mangle -m mark --mark 0x0 -p tcp -m state --state NEW -m multiport --dport 6346,4662,4661 -j MARK --set-mark 5
iptables -A FORWARD -t mangle -m mark --mark 0x0 -p tcp -m state --state NEW -m multiport --dport 80 -j MARK --set-mark 4
iptables -A FORWARD -t mangle -m mark --mark 0x0  -p tcp -m state --state NEW -m multiport --dport 21 -j MARK --set-mark 3
iptables -A FORWARD -t mangle -m mark --mark 0x0  -p tcp  -m multiport --dport 20
iptables -A FORWARD -t mangle -m mark --mark 0x3  -p tcp  -m multiport --dport 20
...
SIMILAR line in OUTPUT INPUT
...
# We save the mark
iptables -A POSTROUTING -t mangle -m mark ! --mark 0x0  -j CONNMARK --save-mark


I look at stats with "iptables -L -t mangle -nv" after a little bit of
ftp in passive mode :

Chain FORWARD (policy ACCEPT 21M packets, 13G bytes)
 pkts bytes target     prot opt in     out     source               destination         
   53  2960 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x0 state NEW multiport dports 6346,4662,4661 MARK set 0x5 
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x0 state NEW multiport dports 80 MARK set 0x4 
    1    60 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x0 state NEW multiport dports 21 MARK set 0x3 
    0     0            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x0 multiport dports 20 
    3   164            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x3 multiport dports 20 

So passive ftp on port 20 has the mark that was given on port 21.

About my system :
kernel 2.6.8 
lsmod extract :
ip_nat_ftp              4080  0 
iptable_nat            19884  2 ip_nat_ftp
ip_tables              15488  10 ipt_MARK,ipt_mark,iptable_mangle,ipt_multiport,ipt_state,ipt_REJECT,ipt_ULOG,iptable_filter,ipt_CONNMARK,iptable_nat
ip_conntrack_ftp       71088  1 ip_nat_ftp
ip_conntrack           28296  5 ipt_state,ipt_CONNMARK,ip_nat_ftp,iptable_nat,ip_conntrack_ftp

BR,
-- 
Eric Leblond <eric@regit.org>
NuFW, Now User Filtering Works : http://www.nufw.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

     prev parent reply	other threads:[~2004-11-04  9:26 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-11-03 18:17 how to match connection tracker's flows? Abraham van der Merwe
2004-11-03 19:02 ` Jason Opperisano
2004-11-03 19:05 ` Eric Leblond
2004-11-03 19:07 ` Eric Leblond
2004-11-04  8:46   ` Abraham van der Merwe
2004-11-04  9:26     ` Eric Leblond [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1099560388.4320.6.camel@porky \
    --to=eric@inl.fr \
    --cc=abz@frogfoot.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.