Match packet mark with --set-mark to ip rule fwmark

Match packet mark with --set-mark to ip rule fwmark

[kaiwen]

[-- Attachment #1: Type: text/plain, Size: 1003 bytes --]


Hi,

Here I am trying something simple.
My objective is to make ip rule fwmark command work :)

Network Diagram:
--- 192.168.250.197 (eth0) Linux Box (eth1) 192.168.8.88 -------------192.168.8.122 (eth0) Windows XP Client

Configuration done on Linux Box:-

(1) [root@g webauth]# iptables -t mangle -A PREROUTING -j MARK --set-mark 5
[root@g webauth]# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere           MARK set 0x5

(2) [root@g webauth]# ip rule add fwmark 5 table test2
[root@g webauth]# ip rule
0:      from all lookup local
32765:  from all fwmark        5 lookup test2
32766:  from all lookup main
32767:  from all lookup 253

(3) [root@g webauth]# ip ro show table test2
prohibit 192.168.8.122

I expect ping from 192.168.8.122 to 192.168.250.197 to be drop, BUT is is
successful. Why?
Did I miss out anything? Please advice.

Thank you
Kaiwen


[-- Attachment #2: Type: text/html, Size: 1944 bytes --]

Re: Match packet mark with --set-mark to ip rule fwmark

[Philip Craig]

kaiwen wrote:
> (3) [root@g webauth]# ip ro show table test2
> prohibit 192.168.8.122
> 
> I expect ping from 192.168.8.122 to 192.168.250.197 to be drop, BUT is is
> successful. Why?
> Did I miss out anything? Please advice.

prohibit specifies the destination address, not the source.  So the ping
from 192.168.8.122 to 192.168.250.197 will get through.  Additionally,
the reply goes through OUTPUT, not PREROUTING, so it won't be marked and
dropped either.  If you add your mark rule to the OUTPUT chain, then you
should see the reply being dropped.

I assume you are just using prohibit for testing: there is no point
marking a packet with iptables and then dropping it iproute2, when you
could just drop it with iptables in the first place.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

Re: Match packet mark with --set-mark to ip rule fwmark

[kaiwen]

Hi,

Yes, I just wish to do testing, to see if fwmark works with --set-mark.
I will try on your advice now. Thank you and get back to List soon :)

kaiwen

----- Original Message -----
From: "Philip Craig" <philipc@snapgear.com>
To: "kaiwen" <cal_kaiwen@hotmail.com>
Cc: <netfilter@lists.netfilter.org>
Sent: Wednesday, January 07, 2004 1:00 PM
Subject: Re: Match packet mark with --set-mark to ip rule fwmark


> kaiwen wrote:
> > (3) [root@g webauth]# ip ro show table test2
> > prohibit 192.168.8.122
> >
> > I expect ping from 192.168.8.122 to 192.168.250.197 to be drop, BUT is
is
> > successful. Why?
> > Did I miss out anything? Please advice.
>
> prohibit specifies the destination address, not the source.  So the ping
> from 192.168.8.122 to 192.168.250.197 will get through.  Additionally,
> the reply goes through OUTPUT, not PREROUTING, so it won't be marked and
> dropped either.  If you add your mark rule to the OUTPUT chain, then you
> should see the reply being dropped.
>
> I assume you are just using prohibit for testing: there is no point
> marking a packet with iptables and then dropping it iproute2, when you
> could just drop it with iptables in the first place.
>
> --
> Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com
>
>

Re: Match packet mark with --set-mark to ip rule fwmark

[kaiwen]

Hi,

My new configurations:-

Network Diagram:
--- 192.168.250.197 (eth0) Linux Box (eth1)
192.168.8.88 -------------192.168.8.122 (eth0) Windows XP Client

Configuration A
(1) [root@g root]# ip ru
0:      from all lookup local
32765:  from all fwmark        5 lookup test2
32766:  from all lookup main
32767:  from all lookup 253

(2)[root@g root]# ip ro show table test2
prohibit 192.168.8.88
prohibit 192.168.250.197

(3) [root@g root]# iptables -t mangle -L
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere           MARK set 0x5

(4) [root@g root]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.250.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.8.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.250.254 0.0.0.0         UG    0      0        0 eth0

Ping from 192.168.8.122 to 192.168.250.197 is still successful. :|

Take a look at ip rule, the first rule route all packet to table local,
which has a route for 192.168.8.0/24. Is it true that once there is one rule
which match for the packet, it will route according to it. If so, I remove
the route from table local and put it at table test2, which is
Configurations B.

Configurations B

(1) [root@g root]# ip ru
0:      from all lookup local
32765:  from all fwmark        5 lookup test2
32766:  from all lookup main
32767:  from all lookup 253

(2) [root@g root]# ip ro show table test2
prohibit 192.168.8.88
prohibit 192.168.250.197
192.168.8.0/24 via 192.168.8.88 dev br0

(3) [root@g root]# iptables -t mangle -L
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere           MARK set 0x5

(4) [root@g root]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.250.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.250.254 0.0.0.0         UG    0      0        0 eth0

Yet, Ping from 192.168.8.122 to 192.168.250.197 is still successful.

Please advice :)


----- Original Message -----
From: "Philip Craig" <philipc@snapgear.com>
To: "kaiwen" <cal_kaiwen@hotmail.com>
Cc: <netfilter@lists.netfilter.org>
Sent: Wednesday, January 07, 2004 1:00 PM
Subject: Re: Match packet mark with --set-mark to ip rule fwmark


> kaiwen wrote:
> > (3) [root@g webauth]# ip ro show table test2
> > prohibit 192.168.8.122
> >
> > I expect ping from 192.168.8.122 to 192.168.250.197 to be drop, BUT is
is
> > successful. Why?
> > Did I miss out anything? Please advice.
>
> prohibit specifies the destination address, not the source.  So the ping
> from 192.168.8.122 to 192.168.250.197 will get through.  Additionally,
> the reply goes through OUTPUT, not PREROUTING, so it won't be marked and
> dropped either.  If you add your mark rule to the OUTPUT chain, then you
> should see the reply being dropped.
>
> I assume you are just using prohibit for testing: there is no point
> marking a packet with iptables and then dropping it iproute2, when you
> could just drop it with iptables in the first place.
>
> --
> Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com
>
>

Re: Match packet mark with --set-mark to ip rule fwmark

[Philip Craig]

kaiwen wrote:
> (2)[root@g root]# ip ro show table test2
> prohibit 192.168.8.88
> prohibit 192.168.250.197
> 
> (3) [root@g root]# iptables -t mangle -L
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> MARK       all  --  anywhere             anywhere           MARK set 0x5

But you changed both the IP address for the prohibit *and* the
chain the mark is in.  So you still won't get packets that match
both.  Just change one or the other.

That is, if you want to drop an incoming ping packet, then the
prohibit must specify a local IP, and the mark rule must be in
the PREROUTING chain.  If you want to drop an outgoing ping packet,
then the prohibit must specify a remote IP, and the mark rule must
be in the OUTPUT chain.  You could also just always put the mark
rule in both PREROUTING and OUTPUT.

Here's another option: change the mark rule so that it specifies
the source or destination, and also change the prohibit to be
'prohibit any'.

> Take a look at ip rule, the first rule route all packet to table local,
> which has a route for 192.168.8.0/24. Is it true that once there is one rule
> which match for the packet, it will route according to it. If so, I remove
> the route from table local and put it at table test2, which is
> Configurations B.

Yes, it will use the first route that matches.  Note that moving the
route to table test2 will break routing for packets that don't use
table test2.  You probably want to move it to table main.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

Re: Match packet mark with --set-mark to ip rule fwmark

[kaiwen]

Hi,

I tried the following configurations:-

(1) [root@g webauth]# ip route show table test2
prohibit 192.168.250.197
192.168.8.0/24 via 192.168.8.88 dev br0

(2) [root@g webauth]# iptables -t mangle -L
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere           MARK set 0x5

(3) [root@g webauth]# ip ru
0:      from all lookup local
32765:  from all fwmark        5 lookup test2
32766:  from all lookup main
32767:  from all lookup 253

Ping from 192.168.8.129 will go to iptables and got marked 5, it goes to
local table, but no route match for it, so it goes to table test2.
The destination of the packet is 192.168.250.197, so it is prohibited, I
suppose the ping will not be successful.
Have I got the explanation right?

I have got a question, packet travles through routing table first or
iptables?

But, it is successful.



----- Original Message -----
From: "Philip Craig" <philipc@snapgear.com>
To: "kaiwen" <cal_kaiwen@hotmail.com>
Cc: <netfilter@lists.netfilter.org>
Sent: Wednesday, January 07, 2004 2:17 PM
Subject: Re: Match packet mark with --set-mark to ip rule fwmark


> kaiwen wrote:
> > (2)[root@g root]# ip ro show table test2
> > prohibit 192.168.8.88
> > prohibit 192.168.250.197
> >
> > (3) [root@g root]# iptables -t mangle -L
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> > MARK       all  --  anywhere             anywhere           MARK set 0x5
>
> But you changed both the IP address for the prohibit *and* the
> chain the mark is in.  So you still won't get packets that match
> both.  Just change one or the other.
>
> That is, if you want to drop an incoming ping packet, then the
> prohibit must specify a local IP, and the mark rule must be in
> the PREROUTING chain.  If you want to drop an outgoing ping packet,
> then the prohibit must specify a remote IP, and the mark rule must
> be in the OUTPUT chain.  You could also just always put the mark
> rule in both PREROUTING and OUTPUT.
>
> Here's another option: change the mark rule so that it specifies
> the source or destination, and also change the prohibit to be
> 'prohibit any'.
>
> > Take a look at ip rule, the first rule route all packet to table local,
> > which has a route for 192.168.8.0/24. Is it true that once there is one
rule
> > which match for the packet, it will route according to it. If so, I
remove
> > the route from table local and put it at table test2, which is
> > Configurations B.
>
> Yes, it will use the first route that matches.  Note that moving the
> route to table test2 will break routing for packets that don't use
> table test2.  You probably want to move it to table main.
>
> --
> Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com
>
>