Question about nfmark

All of lore.kernel.org
 help / color / mirror / Atom feed

* Question about nfmark
@ 2003-06-04 18:01 Abhinav Gupta
  2003-06-04 19:53 ` Cedric Blancher
  0 siblings, 1 reply; 7+ messages in thread
From: Abhinav Gupta @ 2003-06-04 18:01 UTC (permalink / raw)
  To: netfilter

Hi,
I am a newbie to netfilter. While going through some code, I saw a 
comment that nfmark can be used for communicating between the different 
hooks. Could someone please explain me how this can be done.

Thanks in advance.

Abhinav.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Question about nfmark
  2003-06-04 18:01 Question about nfmark Abhinav Gupta
@ 2003-06-04 19:53 ` Cedric Blancher
  2003-06-04 22:23   ` Martin Josefsson
  2003-06-05  9:48   ` Port forwarding Dhyanesh Ramaiya
  0 siblings, 2 replies; 7+ messages in thread
From: Cedric Blancher @ 2003-06-04 19:53 UTC (permalink / raw)
  To: gupta; +Cc: netfilter

Le mer 04/06/2003 à 20:01, Abhinav Gupta a écrit :
> I am a newbie to netfilter. While going through some code, I saw a 
> comment that nfmark can be used for communicating between the different 
> hooks. Could someone please explain me how this can be done.

Netfilter gives you the ability to mark packets using mangle table MARK
target (mangle table is attached to every hook in the stack). This mark,
commonly called nfmark (Netfilter mark) is a field within the data
structure that contains the packet (skb). This means once a packet is
marked, mark will be carried the whole packet life into the system.

Now, you have a mark match that allows you to read nfmark field. This
means in on given hook, you can extract information from another hook
though nfmark.

An example... Suppose you implement DNAT. This sits in PREROUTING chain.

	iptables -t nat -A PREROUTING -d $PUB_IP -j DNAT --to $PRIV_IP

How can I filter packets destined to $PUB_IP form those which were
destined to $PRIV_IP as they appear the same way into FORWARD chain ?
Use mark.

	iptables -t mangle -A PREROUTING -d $PRIV_IP -j MARK --mark 0x01

Then, in filter table, I do this :

	iptables -A FORWARD -m mark --mark 0x01 -j DROP

As I don't people access directly my private IP. Doing this, you get in
FORWARD chain information that would not be available otherwise.

Besides this, nfmark is more powerful than this as it allows Netfilter
to communicate with routing and QoS processes. This means you can take
routing or QoS decisions based on nfmark. Transparent proxying can be
done using nfmark (see http://lartc.org/), as well as QoS. This allows
you to use all Netfilter packet matching capabilities for routing and
shaping.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Question about nfmark
  2003-06-04 19:53 ` Cedric Blancher
@ 2003-06-04 22:23   ` Martin Josefsson
  2003-06-05  9:48   ` Port forwarding Dhyanesh Ramaiya
  1 sibling, 0 replies; 7+ messages in thread
From: Martin Josefsson @ 2003-06-04 22:23 UTC (permalink / raw)
  To: Cedric Blancher; +Cc: gupta, Netfilter

On Wed, 2003-06-04 at 21:53, Cedric Blancher wrote:

> An example... Suppose you implement DNAT. This sits in PREROUTING chain.
> 
> 	iptables -t nat -A PREROUTING -d $PUB_IP -j DNAT --to $PRIV_IP
> 
> How can I filter packets destined to $PUB_IP form those which were
> destined to $PRIV_IP as they appear the same way into FORWARD chain ?
> Use mark.
> 
> 	iptables -t mangle -A PREROUTING -d $PRIV_IP -j MARK --mark 0x01
> 
> Then, in filter table, I do this :
> 
> 	iptables -A FORWARD -m mark --mark 0x01 -j DROP
> 
> As I don't people access directly my private IP. Doing this, you get in
> FORWARD chain information that would not be available otherwise.

There are other ways.

iptables -A FORWARD -d $PRIV_IP -m conntrack ! --ctorigdst $PUB_IP -j DROP

-- 
/Martin


^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: Question about nfmark
       [not found] <20030604183302.31857.2836.Mailman@kashyyyk>
@ 2003-06-05  1:17 ` Leon Stankowski
  0 siblings, 0 replies; 7+ messages in thread
From: Leon Stankowski @ 2003-06-05  1:17 UTC (permalink / raw)
  To: netfilter

In a chain you can make the target "MARK" and assign it a ID.  Example:

	iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 25

Later in any chain you can use the "mark" match item to look for these
marked packets / streams.  Example:

	iptables -t nat -A POSTROUTING --mark 25 -j SNAT --to-source 10.0.0.1

Have fun,
Leon

-----Original Message-----
From: Abhinav Gupta <gupta@cpsc.ucalgary.ca>
Subject: Question about nfmark

Hi,
I am a newbie to netfilter. While going through some code, I saw a
comment that nfmark can be used for communicating between the different
hooks. Could someone please explain me how this can be done.

Thanks in advance.

Abhinav.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Port forwarding
  2003-06-04 19:53 ` Cedric Blancher
  2003-06-04 22:23   ` Martin Josefsson
@ 2003-06-05  9:48   ` Dhyanesh Ramaiya
  2003-06-06  8:15     ` Philip Craig
  1 sibling, 1 reply; 7+ messages in thread
From: Dhyanesh Ramaiya @ 2003-06-05  9:48 UTC (permalink / raw)
  To: netfilter

Dear all,

I have a linux router (Redhat 9.0) with iptables 1.2.7a-2. I have setup port
forwarding rules as below to allow SMTP and POP3 to a machine on the
internal network.

iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport 110 --to
<private_ip>:110
iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport 25 --to
<private_ip>:25

What happens, is that when I try to telnet port 25 or 110 from the router
itself, it doesn't connect and gives the error "Connection refused".
However, from any other machine on the network it connects. Thinking that
some firewall rules might be blocking the connection, the default policy of
all chains is set to accept.

Dhyanesh Ramaiya
dhyanesh@intafrica.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Port forwarding
  2003-06-05  9:48   ` Port forwarding Dhyanesh Ramaiya
@ 2003-06-06  8:15     ` Philip Craig
  2003-06-06 10:23       ` Dhyanesh Ramaiya
  0 siblings, 1 reply; 7+ messages in thread
From: Philip Craig @ 2003-06-06  8:15 UTC (permalink / raw)
  To: Dhyanesh Ramaiya; +Cc: netfilter

Dhyanesh Ramaiya wrote:
> iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport 110 --to
> <private_ip>:110
> iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport 25 --to
> <private_ip>:25
> 
> What happens, is that when I try to telnet port 25 or 110 from the router
> itself, it doesn't connect and gives the error "Connection refused".
> However, from any other machine on the network it connects. Thinking that
> some firewall rules might be blocking the connection, the default policy of
> all chains is set to accept.

Packets from the router itself do not go through the PREROUTING
chain, so they aren't being NATed.  You'll need to add similar
NAT rules in the OUTPUT chain.

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances



^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: Port forwarding
  2003-06-06  8:15     ` Philip Craig
@ 2003-06-06 10:23       ` Dhyanesh Ramaiya
  0 siblings, 0 replies; 7+ messages in thread
From: Dhyanesh Ramaiya @ 2003-06-06 10:23 UTC (permalink / raw)
  To: netfilter

Thank you all for your responses. I had in mind to update the /etc/hosts
file (as was suggested by George), but didn't want to do it straight away
without knowing the reasons. Will try to put the NAT rules in the output
chain to solve this problem.

Dhyanesh Ramaiya

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Philip Craig
Sent: Friday, June 06, 2003 11:15 AM
To: Dhyanesh Ramaiya
Cc: netfilter@lists.netfilter.org
Subject: Re: Port forwarding


Dhyanesh Ramaiya wrote:
> iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport
110 --to
> <private_ip>:110
> iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport
25 --to
> <private_ip>:25
>
> What happens, is that when I try to telnet port 25 or 110 from the router
> itself, it doesn't connect and gives the error "Connection refused".
> However, from any other machine on the network it connects. Thinking that
> some firewall rules might be blocking the connection, the default policy
of
> all chains is set to accept.

Packets from the router itself do not go through the PREROUTING
chain, so they aren't being NATed.  You'll need to add similar
NAT rules in the OUTPUT chain.

--
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2003-06-06 10:23 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-04 18:01 Question about nfmark Abhinav Gupta
2003-06-04 19:53 ` Cedric Blancher
2003-06-04 22:23   ` Martin Josefsson
2003-06-05  9:48   ` Port forwarding Dhyanesh Ramaiya
2003-06-06  8:15     ` Philip Craig
2003-06-06 10:23       ` Dhyanesh Ramaiya
     [not found] <20030604183302.31857.2836.Mailman@kashyyyk>
2003-06-05  1:17 ` Question about nfmark Leon Stankowski

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.