layer7 problem

layer7 problem

[Antonio Pérez]

Hello,
I want to use layer7 in my linux box. I have the 2.6.12.5 kerner version 
and the 1.3.3 iptables version. I patched the kernel and the iptables 
with kernel-2.6.11-layer7-1.4.patch, linux-2.6.9-imq1.diff, 
iptables-1.3.0-imq1.diff and iptables-layer7-1.4.patch.
When i run:
iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j MARK 
--set-mark 3
no error show, but when i do:
iptables -t mangle -L -v
pkts bytes target     prot opt in     out     source               
destination
    0     0 MARK       all  --  any    any     anywhere             
anywhere            LAYER7 l7proto http MARK set 0x3
the packets marked always is 0.

I followed this howto http://l7-filter.sourceforge.net/HOWTO.

Have somebody any idea?
Thanks, and sorry for my bad english.

Re: layer7 problem

[Jörg Harmuth]

Antonio Pérez schrieb:
> Hello,
> I want to use layer7 in my linux box. I have the 2.6.12.5 kerner version
> and the 1.3.3 iptables version. I patched the kernel and the iptables
> with kernel-2.6.11-layer7-1.4.patch, linux-2.6.9-imq1.diff,
> iptables-1.3.0-imq1.diff and iptables-layer7-1.4.patch.
> When i run:
> iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j MARK
> --set-mark 3
> no error show, but when i do:
> iptables -t mangle -L -v
> pkts bytes target     prot opt in     out     source              
> destination
>    0     0 MARK       all  --  any    any     anywhere            
> anywhere            LAYER7 l7proto http MARK set 0x3
> the packets marked always is 0.

There are several possibilities - in theory. Taken from http.pat:

# this intentionally catches the response from the server
# rather than the request so that other protocols which use
# http (like kazaa) can be caught based on specific http requests
# regardless of the ordering of filters...
# also matches posts

So, if the pattern catches the *server* response, it will be in the 5th
packet of the connection (3 packets handshake, request, response) and
this packet will not pass POSTROUTING. It will pass PREROUTING, as it is
an incoming packet. Thus the best bet is to move your rule accordingly
or simply add it in PREROUTING.

HTH and have a nice time,

Joerg

Re: layer7 problem

[Antonio Pérez]

Jörg Harmuth wrote:

>Antonio Pérez schrieb:
>  
>
>>Hello,
>>I want to use layer7 in my linux box. I have the 2.6.12.5 kerner version
>>and the 1.3.3 iptables version. I patched the kernel and the iptables
>>with kernel-2.6.11-layer7-1.4.patch, linux-2.6.9-imq1.diff,
>>iptables-1.3.0-imq1.diff and iptables-layer7-1.4.patch.
>>When i run:
>>iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j MARK
>>--set-mark 3
>>no error show, but when i do:
>>iptables -t mangle -L -v
>>pkts bytes target     prot opt in     out     source              
>>destination
>>   0     0 MARK       all  --  any    any     anywhere            
>>anywhere            LAYER7 l7proto http MARK set 0x3
>>the packets marked always is 0.
>>    
>>
>
>There are several possibilities - in theory. Taken from http.pat:
>
># this intentionally catches the response from the server
># rather than the request so that other protocols which use
># http (like kazaa) can be caught based on specific http requests
># regardless of the ordering of filters...
># also matches posts
>
>So, if the pattern catches the *server* response, it will be in the 5th
>packet of the connection (3 packets handshake, request, response) and
>this packet will not pass POSTROUTING. It will pass PREROUTING, as it is
>an incoming packet. Thus the best bet is to move your rule accordingly
>or simply add it in PREROUTING.
>
>HTH and have a nice time,
>
>Joerg
>
>  
>

Hi Joerg,

 Thanks for your reply, I also tried PREROUTING and also many different 
protocols, not only http and the problem remains the same, everything 
seems to work properly, no errors, but the number of marked packets 
remains empty.
 Any idea will be apreciated, thanks.

Antonio.

Re: layer7 problem

[Jörg Harmuth]

Antonio Pérez schrieb:
> Hi Joerg,
> 
> Thanks for your reply, I also tried PREROUTING and also many different
> protocols, not only http and the problem remains the same, everything
> seems to work properly, no errors, but the number of marked packets
> remains empty.
> Any idea will be apreciated, thanks.

Could you please post the output of iptables-save ? I assume, that some
other rules are the culprit ;)

Have a nice time,

Joerg

Re: layer7 problem

[Antonio Pérez]

Jörg Harmuth wrote:

>Antonio Pérez schrieb:
>  
>
>>Hi Joerg,
>>
>>Thanks for your reply, I also tried PREROUTING and also many different
>>protocols, not only http and the problem remains the same, everything
>>seems to work properly, no errors, but the number of marked packets
>>remains empty.
>>Any idea will be apreciated, thanks.
>>    
>>
>
>Could you please post the output of iptables-save ? I assume, that some
>other rules are the culprit ;)
>
>Have a nice time,
>
>Joerg
>
>
>  
>
iptables-save
# Generated by iptables-save v1.3.3 on Wed Aug 24 14:05:01 2005
*mangle
:PREROUTING ACCEPT [633:402628]
:INPUT ACCEPT [633:402628]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [606:91422]
:POSTROUTING ACCEPT [606:91422]
-A PREROUTING -m layer7 --l7proto http -j MARK --set-mark 0x1
-A PREROUTING -m layer7 --l7proto dns -j MARK --set-mark 0x1
-A POSTROUTING -m layer7 --l7proto http -j MARK --set-mark 0x1
-A POSTROUTING -m layer7 --l7proto dns -j MARK --set-mark 0x1
COMMIT
# Completed on Wed Aug 24 14:05:01 2005


iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 637 packets, 403K bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 MARK       all  --  any    any     anywhere             
anywhere            LAYER7 l7proto http MARK set 0x1
    0     0 MARK       all  --  any    any     anywhere             
anywhere            LAYER7 l7proto dns MARK set 0x1

Chain INPUT (policy ACCEPT 637 packets, 403K bytes)
 pkts bytes target     prot opt in     out     source               
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination

Chain OUTPUT (policy ACCEPT 610 packets, 91630 bytes)
 pkts bytes target     prot opt in     out     source               
destination

Chain POSTROUTING (policy ACCEPT 610 packets, 91630 bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 MARK       all  --  any    any     anywhere             
anywhere            LAYER7 l7proto http MARK set 0x1
    0     0 MARK       all  --  any    any     anywhere             
anywhere            LAYER7 l7proto dns MARK set 0x1


 I applied layer7 patch to kernel and iptables, do I need to add any 
other path?

Thanks again.

Re: layer7 problem

[Jörg Harmuth]

Antonio Pérez schrieb:
> Jörg Harmuth wrote:
> 
>> Antonio Pérez schrieb:
>>  
>>
>>> Hi Joerg,
>>>
>>> Thanks for your reply, I also tried PREROUTING and also many different
>>> protocols, not only http and the problem remains the same, everything
>>> seems to work properly, no errors, but the number of marked packets
>>> remains empty.
>>> Any idea will be apreciated, thanks.
>>>   
>>
>>
>> Could you please post the output of iptables-save ? I assume, that some
>> other rules are the culprit ;)
>>
>> Have a nice time,
>>
>> Joerg
>>
>>
>>  
>>
> iptables-save
> # Generated by iptables-save v1.3.3 on Wed Aug 24 14:05:01 2005
> *mangle
> :PREROUTING ACCEPT [633:402628]
> :INPUT ACCEPT [633:402628]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [606:91422]
> :POSTROUTING ACCEPT [606:91422]
> -A PREROUTING -m layer7 --l7proto http -j MARK --set-mark 0x1
> -A PREROUTING -m layer7 --l7proto dns -j MARK --set-mark 0x1
> -A POSTROUTING -m layer7 --l7proto http -j MARK --set-mark 0x1
> -A POSTROUTING -m layer7 --l7proto dns -j MARK --set-mark 0x1
> COMMIT
> # Completed on Wed Aug 24 14:05:01 2005

[SNIP]

> I applied layer7 patch to kernel and iptables, do I need to add any
> other path?

No, that will do. Well, these rules are fine - but it's only mangle
table. What about filter / nat table ? Any rules in these chains ? Any
policies set to DROP ?

Have a nice time,

Joerg

Re: layer7 problem

[Antonio Pérez]

Jörg Harmuth wrote:

>Antonio Pérez schrieb:
>  
>
>>Jörg Harmuth wrote:
>>
>>    
>>
>>>Antonio Pérez schrieb:
>>> 
>>>
>>>      
>>>
>>>>Hi Joerg,
>>>>
>>>>Thanks for your reply, I also tried PREROUTING and also many different
>>>>protocols, not only http and the problem remains the same, everything
>>>>seems to work properly, no errors, but the number of marked packets
>>>>remains empty.
>>>>Any idea will be apreciated, thanks.
>>>>  
>>>>        
>>>>
>>>Could you please post the output of iptables-save ? I assume, that some
>>>other rules are the culprit ;)
>>>
>>>Have a nice time,
>>>
>>>Joerg
>>>
>>>
>>> 
>>>
>>>      
>>>
>>iptables-save
>># Generated by iptables-save v1.3.3 on Wed Aug 24 14:05:01 2005
>>*mangle
>>:PREROUTING ACCEPT [633:402628]
>>:INPUT ACCEPT [633:402628]
>>:FORWARD ACCEPT [0:0]
>>:OUTPUT ACCEPT [606:91422]
>>:POSTROUTING ACCEPT [606:91422]
>>-A PREROUTING -m layer7 --l7proto http -j MARK --set-mark 0x1
>>-A PREROUTING -m layer7 --l7proto dns -j MARK --set-mark 0x1
>>-A POSTROUTING -m layer7 --l7proto http -j MARK --set-mark 0x1
>>-A POSTROUTING -m layer7 --l7proto dns -j MARK --set-mark 0x1
>>COMMIT
>># Completed on Wed Aug 24 14:05:01 2005
>>    
>>
>
>[SNIP]
>
>  
>
>>I applied layer7 patch to kernel and iptables, do I need to add any
>>other path?
>>    
>>
>
>No, that will do. Well, these rules are fine - but it's only mangle
>table. What about filter / nat table ? Any rules in these chains ? Any
>policies set to DROP ?
>
>Have a nice time,
>
>Joerg
>
>
>  
>
 Both nat and filter are empty:

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Thanks for  your time.

Re: layer7 problem

[Jörg Harmuth]

Antonio Pérez schrieb:
> Hello,
> I want to use layer7 in my linux box. I have the 2.6.12.5 kerner version
> and the 1.3.3 iptables version. I patched the kernel and the iptables
> with kernel-2.6.11-layer7-1.4.patch, linux-2.6.9-imq1.diff,
> iptables-1.3.0-imq1.diff and iptables-layer7-1.4.patch.
> When i run:
> iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j MARK
> --set-mark 3
> no error show, but when i do:
> iptables -t mangle -L -v
> pkts bytes target     prot opt in     out     source              
> destination
>    0     0 MARK       all  --  any    any     anywhere            
> anywhere            LAYER7 l7proto http MARK set 0x3
> the packets marked always is 0.

So, as we now - only a few posts later - know, that there are no other
rules in the way, we can start looking elsewhere ;)

Hmm, only suggestions available (I have L7 on 2.4.31 and 1.3.2 -
everything is fine). Maybe there is a version mismatch. The kernel patch
is for 2.6.11, whilst you use 2.6.12. Try with kernel 2.6.11 and see if
it works. I will conquer my lazyness and test wether 1.3.3 works with
L7. I'll tell you tomorrow.

Have a nice time,

Joerg