MARK and ! question

All of lore.kernel.org
 help / color / mirror / Atom feed

* MARK and ! question
@ 2003-06-26 13:28 Ruslan Spivak
  2003-06-26 14:51 ` Sven Schuster
  0 siblings, 1 reply; 8+ messages in thread
From: Ruslan Spivak @ 2003-06-26 13:28 UTC (permalink / raw)
  To: netfilter

Hello.

I need to mark with value 107 packets that are going NOT from the 
193.220.70.0/27 network and NOT from the 193.108.240.0/22 network.
Is it possible?

Below two lines seem not to work properly because second rule won't be 
reached.

iptables -t mangle -A POSTROUTING -s ! 193.220.70.0/27 -d 
193.220.70.32/27 -j MARK --set-mark 107

iptables -t mangle -A POSTROUTING -s ! 193.108.240.0/22 -d 
193.220.70.32/27 -j MARK --set-mark 107

Your help is very, very appreciated.

Best regards,
Ruslan

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: MARK and ! question
  2003-06-26 13:28 MARK and ! question Ruslan Spivak
@ 2003-06-26 14:51 ` Sven Schuster
  2003-06-26 15:11   ` Ruslan Spivak
  0 siblings, 1 reply; 8+ messages in thread
From: Sven Schuster @ 2003-06-26 14:51 UTC (permalink / raw)
  To: Ruslan Spivak; +Cc: netfilter


What about using a user-defined chain like this:

iptables -t mangle -N setmark
iptables -t mangle -A setmark -s ! 193.220.70.0/27 -d 193.220.70.32/27 \
         -j RETURN
iptables -t mangle -A setmark -s ! 193.108.240.0/22 -d 193.220.70.32/27 \
         -j RETURN
iptables -t mangle -A setmark -j MARK --set-mark 107
iptables -t mangle -A POSTROUTING -j setmark

Hope this helps

Sven


Ruslan Spivak wrote:

> Hello.
>
> I need to mark with value 107 packets that are going NOT from the 
> 193.220.70.0/27 network and NOT from the 193.108.240.0/22 network.
> Is it possible?
>
> Below two lines seem not to work properly because second rule won't be 
> reached.
>
> iptables -t mangle -A POSTROUTING -s ! 193.220.70.0/27 -d 
> 193.220.70.32/27 -j MARK --set-mark 107
>
> iptables -t mangle -A POSTROUTING -s ! 193.108.240.0/22 -d 
> 193.220.70.32/27 -j MARK --set-mark 107
>
> Your help is very, very appreciated.
>
> Best regards,
> Ruslan
>
>
>



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: MARK and ! question
  2003-06-26 14:51 ` Sven Schuster
@ 2003-06-26 15:11   ` Ruslan Spivak
  2003-06-26 15:17     ` Chris Wilson
  2003-06-26 15:19     ` Sven Schuster
  0 siblings, 2 replies; 8+ messages in thread
From: Ruslan Spivak @ 2003-06-26 15:11 UTC (permalink / raw)
  To: Sven Schuster; +Cc: netfilter

Sven Schuster wrote:

>
> What about using a user-defined chain like this:
>
> iptables -t mangle -N setmark
> iptables -t mangle -A setmark -s ! 193.220.70.0/27 -d 193.220.70.32/27 \
>         -j RETURN
> iptables -t mangle -A setmark -s ! 193.108.240.0/22 -d 193.220.70.32/27 \
>         -j RETURN
> iptables -t mangle -A setmark -j MARK --set-mark 107
> iptables -t mangle -A POSTROUTING -j setmark
>
> Hope this helps
>
> Sven

Thanks for your reply.
And can you describe how packet traverses such chain?
Thanks in advance,
Ruslan

>
>
> Ruslan Spivak wrote:
>
>> Hello.
>>
>> I need to mark with value 107 packets that are going NOT from the 
>> 193.220.70.0/27 network and NOT from the 193.108.240.0/22 network.
>> Is it possible?
>>
>> Below two lines seem not to work properly because second rule won't 
>> be reached.
>>
>> iptables -t mangle -A POSTROUTING -s ! 193.220.70.0/27 -d 
>> 193.220.70.32/27 -j MARK --set-mark 107
>>
>> iptables -t mangle -A POSTROUTING -s ! 193.108.240.0/22 -d 
>> 193.220.70.32/27 -j MARK --set-mark 107
>>
>> Your help is very, very appreciated.
>>
>> Best regards,
>> Ruslan
>>
>>
>>
>




^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: MARK and ! question
  2003-06-26 15:11   ` Ruslan Spivak
@ 2003-06-26 15:17     ` Chris Wilson
  2003-06-26 15:22       ` Sven Schuster
  2003-06-26 15:39       ` Ruslan Spivak
  2003-06-26 15:19     ` Sven Schuster
  1 sibling, 2 replies; 8+ messages in thread
From: Chris Wilson @ 2003-06-26 15:17 UTC (permalink / raw)
  To: Ruslan Spivak; +Cc: Sven Schuster, netfilter

Hi Ruslan, Hi Sven,

> > What about using a user-defined chain like this:
> >
> > iptables -t mangle -N setmark
> > iptables -t mangle -A setmark -s ! 193.220.70.0/27 -d 193.220.70.32/27 \
> >         -j RETURN
> > iptables -t mangle -A setmark -s ! 193.108.240.0/22 -d 193.220.70.32/27 \
> >         -j RETURN
> > iptables -t mangle -A setmark -j MARK --set-mark 107
> > iptables -t mangle -A POSTROUTING -j setmark

> Thanks for your reply.
> And can you describe how packet traverses such chain?

I think the ruleset above is wrong: the '!' should not be present here. 
Allow me to explain the packet traversal when the same rules are used, but 
with "!" removed:

iptables -t mangle -N setmark
iptables -t mangle -A setmark -s 193.220.70.0/27 -d 193.220.70.32/27 \
        -j RETURN
iptables -t mangle -A setmark -s 193.108.240.0/22 -d 193.220.70.32/27 \
        -j RETURN
iptables -t mangle -A setmark -j MARK --set-mark 107
iptables -t mangle -A POSTROUTING -j setmark

1. Packet enters POSTROUTING
2. Packet jumps to "setmark" chain
3. Packets having source address matching "193.220.70.0/27" are RETURNed 
   to POSTROUTING
4. Packets having source address matching "193.108.240.0/22" are RETURNed 
   to POSTROUTING
5. (now ONLY packets which do NOT have either of these source addresses 
   are still in the "setmark" chain)
6. All packets (still in the "setmark" chain) are marked with 107
7. Packets fall off the end of the "setmark" chain and return to 
   POSTROUTING (but they are now marked)
8. Packets fall of the end of POSTROUTING and continue through the kernel 
   (presumably to be delivered to a network device)

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: MARK and ! question
  2003-06-26 15:11   ` Ruslan Spivak
  2003-06-26 15:17     ` Chris Wilson
@ 2003-06-26 15:19     ` Sven Schuster
  1 sibling, 0 replies; 8+ messages in thread
From: Sven Schuster @ 2003-06-26 15:19 UTC (permalink / raw)
  To: Ruslan Spivak; +Cc: netfilter

1. Paket arrives at mangle/POSTROUTING
2. Paket jumps from POSTROUTING chain to setmark chain
3. When the the pakets' source is _not_ 193.220.70.0/27 the paket
   will return to mangle/POSTROUTING and continue traversal.
4. When the the pakets' source is _not_ 193.108.240.0/22 the paket
   will return to mangle/POSTROUTING and continue traversal.
5. So now we have pakets neither coming from 193.220.70.0/24
   nor from 193.108.240.0/22. And those pakets are MARKED with
   the value 107.

Hope this is enough for you ;-)

Have a nice day

Sven

Ruslan Spivak wrote:

> Sven Schuster wrote:
>
>>
>> What about using a user-defined chain like this:
>>
>> iptables -t mangle -N setmark
>> iptables -t mangle -A setmark -s ! 193.220.70.0/27 -d 193.220.70.32/27 \
>>         -j RETURN
>> iptables -t mangle -A setmark -s ! 193.108.240.0/22 -d 
>> 193.220.70.32/27 \
>>         -j RETURN
>> iptables -t mangle -A setmark -j MARK --set-mark 107
>> iptables -t mangle -A POSTROUTING -j setmark
>>
>> Hope this helps
>>
>> Sven
>
>
> Thanks for your reply.
> And can you describe how packet traverses such chain?
> Thanks in advance,
> Ruslan
>

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: MARK and ! question
  2003-06-26 15:17     ` Chris Wilson
@ 2003-06-26 15:22       ` Sven Schuster
  2003-06-26 15:39       ` Ruslan Spivak
  1 sibling, 0 replies; 8+ messages in thread
From: Sven Schuster @ 2003-06-26 15:22 UTC (permalink / raw)
  To: Chris Wilson; +Cc: Ruslan Spivak, netfilter

Chris Wilson wrote:

>I think the ruleset above is wrong: the '!' should not be present here. 
>Allow me to explain the packet traversal when the same rules are used, but 
>with "!" removed:
>
>
Yeah you're right, sorry...need more coffee ;-))

>iptables -t mangle -N setmark
>iptables -t mangle -A setmark -s 193.220.70.0/27 -d 193.220.70.32/27 \
>        -j RETURN
>iptables -t mangle -A setmark -s 193.108.240.0/22 -d 193.220.70.32/27 \
>        -j RETURN
>iptables -t mangle -A setmark -j MARK --set-mark 107
>iptables -t mangle -A POSTROUTING -j setmark
>
>1. Packet enters POSTROUTING
>2. Packet jumps to "setmark" chain
>3. Packets having source address matching "193.220.70.0/27" are RETURNed 
>   to POSTROUTING
>4. Packets having source address matching "193.108.240.0/22" are RETURNed 
>   to POSTROUTING
>5. (now ONLY packets which do NOT have either of these source addresses 
>   are still in the "setmark" chain)
>6. All packets (still in the "setmark" chain) are marked with 107
>7. Packets fall off the end of the "setmark" chain and return to 
>   POSTROUTING (but they are now marked)
>8. Packets fall of the end of POSTROUTING and continue through the kernel 
>   (presumably to be delivered to a network device)
>
>Cheers, Chris.
>

Sven




^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: MARK and ! question
  2003-06-26 15:17     ` Chris Wilson
  2003-06-26 15:22       ` Sven Schuster
@ 2003-06-26 15:39       ` Ruslan Spivak
  2003-06-26 15:40         ` Chris Wilson
  1 sibling, 1 reply; 8+ messages in thread
From: Ruslan Spivak @ 2003-06-26 15:39 UTC (permalink / raw)
  To: Chris Wilson; +Cc: netfilter

Chris Wilson wrote:

>Hi Ruslan, Hi Sven,
>
>  
>
>>>What about using a user-defined chain like this:
>>>
>>>iptables -t mangle -N setmark
>>>iptables -t mangle -A setmark -s ! 193.220.70.0/27 -d 193.220.70.32/27 \
>>>        -j RETURN
>>>iptables -t mangle -A setmark -s ! 193.108.240.0/22 -d 193.220.70.32/27 \
>>>        -j RETURN
>>>iptables -t mangle -A setmark -j MARK --set-mark 107
>>>iptables -t mangle -A POSTROUTING -j setmark
>>>      
>>>
>
>  
>
>>Thanks for your reply.
>>And can you describe how packet traverses such chain?
>>    
>>
>
>I think the ruleset above is wrong: the '!' should not be present here. 
>Allow me to explain the packet traversal when the same rules are used, but 
>with "!" removed:
>
>iptables -t mangle -N setmark
>iptables -t mangle -A setmark -s 193.220.70.0/27 -d 193.220.70.32/27 \
>        -j RETURN
>iptables -t mangle -A setmark -s 193.108.240.0/22 -d 193.220.70.32/27 \
>        -j RETURN
>iptables -t mangle -A setmark -j MARK --set-mark 107
>iptables -t mangle -A POSTROUTING -j setmark
>
>1. Packet enters POSTROUTING
>2. Packet jumps to "setmark" chain
>3. Packets having source address matching "193.220.70.0/27" are RETURNed 
>   to POSTROUTING
>4. Packets having source address matching "193.108.240.0/22" are RETURNed 
>   to POSTROUTING
>5. (now ONLY packets which do NOT have either of these source addresses 
>   are still in the "setmark" chain)
>6. All packets (still in the "setmark" chain) are marked with 107
>7. Packets fall off the end of the "setmark" chain and return to 
>   POSTROUTING (but they are now marked)
>8. Packets fall of the end of POSTROUTING and continue through the kernel 
>   (presumably to be delivered to a network device)
>
>Cheers, Chris.
>  
>
Sorry for disturbance, but one more question: it looks like all other 
packets not from

193.220.70.0/27 and not from 193.108.240.0/22 will be marked, but i need mark packets that have destination 193.220.70.32/27 and not from above mentioned networks. What else should i add or modify?

Thanks in advance.




^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: MARK and ! question
  2003-06-26 15:39       ` Ruslan Spivak
@ 2003-06-26 15:40         ` Chris Wilson
  0 siblings, 0 replies; 8+ messages in thread
From: Chris Wilson @ 2003-06-26 15:40 UTC (permalink / raw)
  To: Ruslan Spivak; +Cc: netfilter

Hi Ruslan,

> Sorry for disturbance, but one more question: it looks like all other 
> packets not from
> 
> 193.220.70.0/27 and not from 193.108.240.0/22 will be marked, but i need
> mark packets that have destination 193.220.70.32/27 and not from above
> mentioned networks. What else should i add or modify?

Sorry, it looks like the ruleset is still wrong. Try this one:

iptables -t mangle -N setmark
iptables -t mangle -A setmark -s   193.220.70.0/27  -j RETURN
iptables -t mangle -A setmark -s   193.108.240.0/22 -j RETURN
iptables -t mangle -A setmark -d ! 193.220.70.32/27 -j RETURN
iptables -t mangle -A setmark -j MARK --set-mark 107
iptables -t mangle -A POSTROUTING -j setmark

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |



^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2003-06-26 15:40 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-26 13:28 MARK and ! question Ruslan Spivak
2003-06-26 14:51 ` Sven Schuster
2003-06-26 15:11   ` Ruslan Spivak
2003-06-26 15:17     ` Chris Wilson
2003-06-26 15:22       ` Sven Schuster
2003-06-26 15:39       ` Ruslan Spivak
2003-06-26 15:40         ` Chris Wilson
2003-06-26 15:19     ` Sven Schuster

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.