how to match connection tracker's flows?

how to match connection tracker's flows?

[Abraham van der Merwe]

Hi!

If I add

# rules to track ftp
iptables -t mangle -A POSTROUTING -p tcp -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -p tcp -m mark ! --mark 0 -j RETURN
iptables -t mangle -A POSTROUTING -p tcp --dport 21 -j MARK --set-mark 2
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

# a rule to see how much ftp traffic is matched
iptables -t mangle -A POSTROUTING -m mark --mark 2

Now if I ftp some data I can see that all of the traffic is not matched by
looking at the byte counter of the rule above.

What am I doing wrong? I am pretty sure the ftp-data connection is not being
tracked, but surely the conntrack_ftp module should do all the hard work for
me?

-- 

Regards
 Abraham

TODAY the Pond!
TOMORROW the World!
                -- Frogs (1972)

___________________________________________________
 Abraham vd Merwe - Frogfoot Networks CC
 1st Floor, Albion Springs, 183 Main Road, Newlands
 Phone: +27 21 689 3876 Cell: +27 82 565 4451
 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net

Re: how to match connection tracker's flows?

[Jason Opperisano]

On Wed, Nov 03, 2004 at 08:17:18PM +0200, Abraham van der Merwe wrote:
> Hi!
> 
> If I add
> 
> # rules to track ftp
> iptables -t mangle -A POSTROUTING -p tcp -j CONNMARK --restore-mark
> iptables -t mangle -A POSTROUTING -p tcp -m mark ! --mark 0 -j RETURN
> iptables -t mangle -A POSTROUTING -p tcp --dport 21 -j MARK --set-mark 2
> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
> 
> # a rule to see how much ftp traffic is matched
> iptables -t mangle -A POSTROUTING -m mark --mark 2
> 
> Now if I ftp some data I can see that all of the traffic is not matched by
> looking at the byte counter of the rule above.
> 
> What am I doing wrong? I am pretty sure the ftp-data connection is not being
> tracked, but surely the conntrack_ftp module should do all the hard work for
> me?

try using helper to match FTP traffic:

  iptables -t mangle -A POSTROUTING -m helper --helper ftp

-j

--
"Dear Mr. President, there are too many states nowadays, please
 eliminate three. I am not a crackpot."
        --The Simpsons

Re: how to match connection tracker's flows?

[Eric Leblond]

On Wed, 2004-11-03 at 20:17 +0200, Abraham van der Merwe wrote:
> Hi!
> 
> If I add
> 
> # rules to track ftp
> iptables -t mangle -A POSTROUTING -p tcp -j CONNMARK --restore-mark
> iptables -t mangle -A POSTROUTING -p tcp -m mark ! --mark 0 -j RETURN

If packet are marked they return so leave mangle, so if CONNMARK works
leave mangle.

> # a rule to see how much ftp traffic is matched
> iptables -t mangle -A POSTROUTING -m mark --mark 2

This line is never reached if CONNMARK works.

BR,
-- 
Eric Leblond <regit@inl.fr>

Re: how to match connection tracker's flows?

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 602 bytes --]

On Wed, 2004-11-03 at 20:17 +0200, Abraham van der Merwe wrote:
> Hi!
> 
> If I add
> 
> # rules to track ftp
> iptables -t mangle -A POSTROUTING -p tcp -j CONNMARK --restore-mark
> iptables -t mangle -A POSTROUTING -p tcp -m mark ! --mark 0 -j RETURN

If packet are marked they return so leave mangle, so if CONNMARK works
leave mangle.

> # a rule to see how much ftp traffic is matched
> iptables -t mangle -A POSTROUTING -m mark --mark 2

This line is never reached if CONNMARK works.

BR,
-- 
Eric Leblond <eric@regit.org>
NuFW, Now User Filtering Works : http://www.nufw.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: how to match connection tracker's flows?

[Abraham van der Merwe]

Hi Eric                                          >@2004.11.03_21:07:48_+0200

> > If I add
> > 
> > # rules to track ftp
> > iptables -t mangle -A POSTROUTING -p tcp -j CONNMARK --restore-mark
> > iptables -t mangle -A POSTROUTING -p tcp -m mark ! --mark 0 -j RETURN
> 
> If packet are marked they return so leave mangle, so if CONNMARK works
> leave mangle.
> 
> > # a rule to see how much ftp traffic is matched
> > iptables -t mangle -A POSTROUTING -m mark --mark 2
> 
> This line is never reached if CONNMARK works.

Ok, sorry I didn't paste the real commands. It is actually:

# rules to send all traffic to user-defined chain
iptables -t mangle -N TRACK
iptables -t mangle -A POSTROUTING -j TRACK

# a rule to see how much ftp traffic is matched
iptables -t mangle -A POSTROUTING -m mark --mark 2

# rules to track ftp
iptables -t mangle -A TRACK -p tcp -j CONNMARK --restore-mark
iptables -t mangle -A TRACK -p tcp -m mark ! --mark 0 -j RETURN
iptables -t mangle -A TRACK -p tcp --dport 21 -j MARK --set-mark 2
iptables -t mangle -A TRACK -j CONNMARK --save-mark

In other words, it returns from a user-defined chain and the mark is in the
top level chain and will always be matched.

With above, it doesn't match all the ftp traffic. It definitely matches
some, but I think it is just the port 21 traffic, not the port 20 (ftp-data)
stuff which should be picked up by the connection tracking.

I also tried a derivative of above scheme which doesn't work properly either:

iptables -t mangle -A POSTROUTING -p tcp --dport 21 \
	-m state --state NEW,ESTABLISHED,RELATED -j MARK --set-mark 2
iptables -t mangle -A POSTROUTING -m mark --mark 2

Above rule have pretty much the same effect.

-- 

Regards
 Abraham

TODAY the Pond!
TOMORROW the World!
                -- Frogs (1972)

___________________________________________________
 Abraham vd Merwe - Frogfoot Networks CC
 1st Floor, Albion Springs, 183 Main Road, Newlands
 Phone: +27 21 689 3876 Cell: +27 82 565 4451
 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net

Re: how to match connection tracker's flows?

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 3613 bytes --]

On Thu, 2004-11-04 at 10:46 +0200, Abraham van der Merwe wrote:
> Hi Eric                                          >@2004.11.03_21:07:48_+0200
> 

> Ok, sorry I didn't paste the real commands. It is actually:
> 
> # rules to send all traffic to user-defined chain
> iptables -t mangle -N TRACK
> iptables -t mangle -A POSTROUTING -j TRACK
> 
> # a rule to see how much ftp traffic is matched
> iptables -t mangle -A POSTROUTING -m mark --mark 2
> 
> # rules to track ftp
> iptables -t mangle -A TRACK -p tcp -j CONNMARK --restore-mark
> iptables -t mangle -A TRACK -p tcp -m mark ! --mark 0 -j RETURN
> iptables -t mangle -A TRACK -p tcp --dport 21 -j MARK --set-mark 2
> iptables -t mangle -A TRACK -j CONNMARK --save-mark
> 
> In other words, it returns from a user-defined chain and the mark is in the
> top level chain and will always be matched.

ok

> With above, it doesn't match all the ftp traffic. It definitely matches
> some, but I think it is just the port 21 traffic, not the port 20 (ftp-data)
> stuff which should be picked up by the connection tracking.

I just slightly modify my configuration to check if traffic to port 20
was matched. This is the case. Here's my configuration :

# We restore mark at entry
iptables -A PREROUTING -t mangle -m mark --mark 0x0 -j CONNMARK --restore-mark
# We mark new connection
# FORWARD traffic
iptables -A FORWARD -t mangle -m mark --mark 0x0 -p tcp -m state --state NEW -m multiport --dport 6346,4662,4661 -j MARK --set-mark 5
iptables -A FORWARD -t mangle -m mark --mark 0x0 -p tcp -m state --state NEW -m multiport --dport 80 -j MARK --set-mark 4
iptables -A FORWARD -t mangle -m mark --mark 0x0  -p tcp -m state --state NEW -m multiport --dport 21 -j MARK --set-mark 3
iptables -A FORWARD -t mangle -m mark --mark 0x0  -p tcp  -m multiport --dport 20
iptables -A FORWARD -t mangle -m mark --mark 0x3  -p tcp  -m multiport --dport 20
...
SIMILAR line in OUTPUT INPUT
...
# We save the mark
iptables -A POSTROUTING -t mangle -m mark ! --mark 0x0  -j CONNMARK --save-mark


I look at stats with "iptables -L -t mangle -nv" after a little bit of
ftp in passive mode :

Chain FORWARD (policy ACCEPT 21M packets, 13G bytes)
 pkts bytes target     prot opt in     out     source               destination         
   53  2960 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x0 state NEW multiport dports 6346,4662,4661 MARK set 0x5 
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x0 state NEW multiport dports 80 MARK set 0x4 
    1    60 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x0 state NEW multiport dports 21 MARK set 0x3 
    0     0            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x0 multiport dports 20 
    3   164            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x3 multiport dports 20 

So passive ftp on port 20 has the mark that was given on port 21.

About my system :
kernel 2.6.8 
lsmod extract :
ip_nat_ftp              4080  0 
iptable_nat            19884  2 ip_nat_ftp
ip_tables              15488  10 ipt_MARK,ipt_mark,iptable_mangle,ipt_multiport,ipt_state,ipt_REJECT,ipt_ULOG,iptable_filter,ipt_CONNMARK,iptable_nat
ip_conntrack_ftp       71088  1 ip_nat_ftp
ip_conntrack           28296  5 ipt_state,ipt_CONNMARK,ip_nat_ftp,iptable_nat,ip_conntrack_ftp

BR,
-- 
Eric Leblond <eric@regit.org>
NuFW, Now User Filtering Works : http://www.nufw.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]