One little problem I don't understand

One little problem I don't understand

[Vultur Constantin]

Hi,

I have a little problem understanding the way iptables does the matching 
of packets.
The problem is like this:
I have an subnet A.B.C.D/X which I mark it with --set-mark 1:

$IPT -A fw-interfaces -i $INT_IF -s $INT_NET  -d A.B.C.D/X -m state 
--state NEW    -j ACCEPT
$IPT -t mangle -A PREROUTING -i $INT_IF -d A.B.C.D/X  -j MARK --set-mark 1

and I mark the connections to port 22 ( ssh ) with --set-mark 2

$IPT -A fw-interfaces -i $INT_IF -s $INT_NET  -p tcp --dport 22 -m state 
--state NEW    -j ACCEPT
$IPT -t mangle -A PREROUTING -i $INT_IF -p tcp --dport 22 -j MARK 
--set-mark 2   
 
fw-interfaces is used as a custom chain in FORWARD.

Now my problem is like this:
If I want to connect to ssh to one of the ip's from d A.B.C.D/X all my 
packets are set-marked with 2. The rule with d A.B.C.D/X   is above tho 
one with ssh.
Shouldn't the ssh connection to A.B.C.D/X  be marked with 1 ? If not 
what I am doing wrong.

Thanks,

-- 
Constantin Daniel VULTUR

Re: One little problem I don't understand

[Martijn Lievaart]

Vultur Constantin wrote:

> Hi,
>
> I have a little problem understanding the way iptables does the 
> matching of packets.
> The problem is like this:
> I have an subnet A.B.C.D/X which I mark it with --set-mark 1:
>
> $IPT -A fw-interfaces -i $INT_IF -s $INT_NET  -d A.B.C.D/X -m state 
> --state NEW    -j ACCEPT
> $IPT -t mangle -A PREROUTING -i $INT_IF -d A.B.C.D/X  -j MARK 
> --set-mark 1
>
> and I mark the connections to port 22 ( ssh ) with --set-mark 2
>
> $IPT -A fw-interfaces -i $INT_IF -s $INT_NET  -p tcp --dport 22 -m 
> state --state NEW    -j ACCEPT
> $IPT -t mangle -A PREROUTING -i $INT_IF -p tcp --dport 22 -j MARK 
> --set-mark 2  
> fw-interfaces is used as a custom chain in FORWARD.
>
> Now my problem is like this:
> If I want to connect to ssh to one of the ip's from d A.B.C.D/X all my 
> packets are set-marked with 2. The rule with d A.B.C.D/X   is above 
> tho one with ssh.
> Shouldn't the ssh connection to A.B.C.D/X  be marked with 1 ? If not 
> what I am doing wrong.


It IS marked with 1, subsequently overwritten by 2 by the second rule.

HTH,
M4

Re: One little problem I don't understand

[Costi]

But still isn't iptables  *first rule wins* policy ? From what I know 
iptables runs with this policy?

Martijn Lievaart wrote:
> Vultur Constantin wrote:
>
>> Hi,
>>
>> I have a little problem understanding the way iptables does the 
>> matching of packets.
>> The problem is like this:
>> I have an subnet A.B.C.D/X which I mark it with --set-mark 1:
>>
>> $IPT -A fw-interfaces -i $INT_IF -s $INT_NET  -d A.B.C.D/X -m state 
>> --state NEW    -j ACCEPT
>> $IPT -t mangle -A PREROUTING -i $INT_IF -d A.B.C.D/X  -j MARK 
>> --set-mark 1
>>
>> and I mark the connections to port 22 ( ssh ) with --set-mark 2
>>
>> $IPT -A fw-interfaces -i $INT_IF -s $INT_NET  -p tcp --dport 22 -m 
>> state --state NEW    -j ACCEPT
>> $IPT -t mangle -A PREROUTING -i $INT_IF -p tcp --dport 22 -j MARK 
>> --set-mark 2  fw-interfaces is used as a custom chain in FORWARD.
>>
>> Now my problem is like this:
>> If I want to connect to ssh to one of the ip's from d A.B.C.D/X all 
>> my packets are set-marked with 2. The rule with d A.B.C.D/X   is 
>> above tho one with ssh.
>> Shouldn't the ssh connection to A.B.C.D/X  be marked with 1 ? If not 
>> what I am doing wrong.
>
>
> It IS marked with 1, subsequently overwritten by 2 by the second rule.
>
> HTH,
> M4
>

Re: One little problem I don't understand

[Rob Sterenborg]

On Thu, August 10, 2006 09:55, Costi wrote:
> But still isn't iptables  *first rule wins* policy ? From what I know
> iptables runs with this policy?

That depends on the target.
If the target is definitive (AFAIK these are: ACCEPT, DROP, REJECT) then
subsequent rules will not be processed. A MARK target is not definitive so
subsequent rules are processed.


Gr,
Rob

Re: One little problem I don't understand

[Martijn Lievaart]

Costi wrote:

[ Please don't top post! ]

>>>
>>> Now my problem is like this:
>>> If I want to connect to ssh to one of the ip's from d A.B.C.D/X all 
>>> my packets are set-marked with 2. The rule with d A.B.C.D/X   is 
>>> above tho one with ssh.
>>> Shouldn't the ssh connection to A.B.C.D/X  be marked with 1 ? If not 
>>> what I am doing wrong.
>>
>>
>>
>> It IS marked with 1, subsequently overwritten by 2 by the second rule.
>>

 > But still isn't iptables  *first rule wins* policy ? From what I know 
iptables runs with this policy?

No, first rule gets executed first. If that is a rule with a terminal 
target, the processing stops there. Otherwise processing continues with 
the next rule.

To get what you want, do this:

$IPT -t mangle -A PREROUTING -i $INT_IF -d A.B.C.D/X  -j  T1
$IPT -N T1
$IPT -A T1 -j MARK --set-mark 1
$IPT -A T1 -j ACCEPT
$IPT -t mangle -A PREROUTING -i $INT_IF -p tcp --dport 22 -j MARK 
--set-mark 2

HTH,
M4