Linux Netfilter discussions
 help / color / mirror / Atom feed
* problem matching marked packets in nat PREROUTING chain
@ 2007-06-04 11:27 Richard Hauswald
  2007-06-04 17:43 ` Pascal Hambourg
  0 siblings, 1 reply; 3+ messages in thread
From: Richard Hauswald @ 2007-06-04 11:27 UTC (permalink / raw)
  To: netfilter

Hello folks,
i'm trying to do the following:

mangle - PREROUTING : marking packets with 23 containing a string "formula1"
nat_PREROUTING: matching packets marked with 23 and Log them

I used the following commands:
iptables -t mangle -A PREROUTING -m string --string formula1 --algo kmp -j MARK --set-mark 23
iptables -t nat -I PREROUTING -p tcp -m mark --mark 23 -j LOG

For debug purpose i added the following rule to the mangle PREROUTING
iptables -t mangle -A PREROUTING -p tcp -m mark --mark 23 -j LOG

then i send the packets to the network interface and used the following commands to check if the rules are working correctly:
iptables -t mangle -vnL:

Chain PREROUTING (policy ACCEPT 557K packets, 326M bytes)
 pkts bytes target     prot opt in     out     source               destination
    1   482 MARK       0    --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "formula1" ALGO name kmp TO 65535MARK set 0x17
    1   241 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x17 LOG flags 0 level 4

Chain INPUT (policy ACCEPT 12380 packets, 1786K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 544K packets, 325M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 11765 packets, 1841K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 554K packets, 326M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain PREROUTING (policy ACCEPT 3707 packets, 424K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x17 LOG flags 0 level 4

Chain POSTROUTING (policy ACCEPT 2224 packets, 294K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2284 packets, 188K bytes)
 pkts bytes target     prot opt in     out     source               destination


My question is now why doas the rule placed in the mangle matches the mark and the same one in nat doas not?

Thanks a lot,
Richard
-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail


^ permalink raw reply	[flat|nested] 3+ messages in thread
* problem matching marked packets in nat PREROUTING chain
@ 2007-06-04 11:29 Richard Hauswald
  0 siblings, 0 replies; 3+ messages in thread
From: Richard Hauswald @ 2007-06-04 11:29 UTC (permalink / raw)
  To: netfilter

Hello folks,
i'm trying to do the following:

mangle - PREROUTING : marking packets with 23 containing a string "formula1"
nat_PREROUTING: matching packets marked with 23 and Log them

I used the following commands:
iptables -t mangle -A PREROUTING -m string --string formula1 --algo kmp -j MARK --set-mark 23
iptables -t nat -I PREROUTING -p tcp -m mark --mark 23 -j LOG

For debug purpose i added the following rule to the mangle PREROUTING
iptables -t mangle -A PREROUTING -p tcp -m mark --mark 23 -j LOG

then i send the packets to the network interface and used the following commands to check if the rules are working correctly:
iptables -t mangle -vnL:

Chain PREROUTING (policy ACCEPT 557K packets, 326M bytes)
 pkts bytes target     prot opt in     out     source               destination
    1   482 MARK       0    --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "formula1" ALGO name kmp TO 65535MARK set 0x17
    1   241 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x17 LOG flags 0 level 4

Chain INPUT (policy ACCEPT 12380 packets, 1786K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 544K packets, 325M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 11765 packets, 1841K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 554K packets, 326M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain PREROUTING (policy ACCEPT 3707 packets, 424K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x17 LOG flags 0 level 4

Chain POSTROUTING (policy ACCEPT 2224 packets, 294K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2284 packets, 188K bytes)
 pkts bytes target     prot opt in     out     source               destination


My question is now why doas the rule placed in the mangle matches the mark and the same one in nat doas not?

Thanks a lot,
Richard
-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-06-04 17:43 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-06-04 11:27 problem matching marked packets in nat PREROUTING chain Richard Hauswald
2007-06-04 17:43 ` Pascal Hambourg
  -- strict thread matches above, loose matches on Subject: below --
2007-06-04 11:29 Richard Hauswald

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox