MARK and CONNMARK

MARK and CONNMARK

[Vladislav Kurz]

Hello,

could someone explain (or point me where to RTFM) the difference between MARK 
and CONNMARK? Are they both usable by "tc filter", or "ip rule", as fwmark?

-- 
Regards
        Vladislav Kurz

Re: MARK and CONNMARK

[Jan Engelhardt]

On Wednesday 2008-07-16 10:46, Vladislav Kurz wrote:

>Hello,
>
>could someone explain (or point me where to RTFM) the difference between MARK 
>and CONNMARK? Are they both usable by "tc filter", or "ip rule", as fwmark?

Where does it say that?

As for the point to manuals, man iptables  is usually in good shape.

Re: MARK and CONNMARK

[Vladislav Kurz]

On Wednesday 16 of July 2008, Jan Engelhardt wrote:
> On Wednesday 2008-07-16 10:46, Vladislav Kurz wrote:
> >Hello,
> >
> >could someone explain (or point me where to RTFM) the difference between
> > MARK and CONNMARK? Are they both usable by "tc filter", or "ip rule", as
> > fwmark?
>
> Where does it say that?

Nowhere I just ask if

> As for the point to manuals, man iptables  is usually in good shape.

Ok, I can read this, but i just wonder what is the difference and how can I 
use connmark. Just marking connections for fun? What other use they are for?

connmark - 
This module matches the netfilter mark field associated with a connection

mark - 
This module matches the netfilter mark field associated with a packet


-- 
S pozdravem
        Vladislav Kurz

=== WebStep, s.r.o. (Ltd.) ========= a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
=== www.webstep.net ======= vladislav.kurz@webstep.net ===

Re: MARK and CONNMARK

[Pablo Neira Ayuso]

Vladislav Kurz wrote:
>> As for the point to manuals, man iptables  is usually in good shape.
> 
> Ok, I can read this, but i just wonder what is the difference and how can I 
> use connmark. Just marking connections for fun? What other use they are for?
> 
> connmark - 
> This module matches the netfilter mark field associated with a connection
> 
> mark - 
> This module matches the netfilter mark field associated with a packet

Probably this can be a nice kick off.

http://home.regit.org/?page_id=7

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: MARK and CONNMARK

[Vladislav Kurz]

On Wednesday 16 of July 2008, Pablo Neira Ayuso wrote:
> Vladislav Kurz wrote:
> >> As for the point to manuals, man iptables  is usually in good shape.
> >
> > Ok, I can read this, but i just wonder what is the difference and how can
> > I use connmark. Just marking connections for fun? What other use they are
> > for?
> >
> > connmark -
> > This module matches the netfilter mark field associated with a connection
> >
> > mark -
> > This module matches the netfilter mark field associated with a packet
>
> Probably this can be a nice kick off.
>
> http://home.regit.org/?page_id=7

Thanks, that's the kind of info I was looking for.

-- 
Regards
        Vladislav Kurz

Re: MARK and CONNMARK

[Grant Taylor]

On 07/16/08 05:33, Vladislav Kurz wrote:
> Ok, I can read this, but i just wonder what is the difference and how 
> can I use connmark. Just marking connections for fun? What other use 
> they are for?

The first thing that you need to realize about MARK is that it is only 
good while the packets are in the kernel.  This means that the mark is 
only retained from the point the packet comes in an interface and goes 
out an interface or goes out to a local process.  Said another way is 
when a packet comes in, gets marked and goes out and the reply comes 
back in the mark is no longer there (because from the firewalls point of 
view the reply is a completely different packet).

This is where CONNMARK comes in to play.  CONNMARK is actually not used 
to filter so much as it is used to remember a given packets mark across 
different packets.  To re-use the above analogy you would check to see 
if there is a CONNMARK associated with a packet and if there is use it 
to set the MARK.  If the MARK has not been set (no stored CONNMARK) you 
would set it your self.  Before the packet leaves the system you would 
store the MARK to the CONNMARK for later use.

Think of MARK as simple stateless filtering and CONNMARK as the state 
that is stored across packets.

Does that help?



Grant. . . .

Re: MARK and CONNMARK

[Brian Austin]

Hi,

sorry to hijack the thread a little bit... Just say I want to mark the 
connections based on the network they are coming from/going to... does 
this look appropriate?
eth19 and eth20 are connected to adsl modems and hence the internet. 
eth41 is the local lan.

maybe it helps answer the question, what use is conntrack...

   #first line in prerouting pulls out existing mark on the connection 
for the packet
   iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
   #check to see if there is a mark now, if so accept
   iptables -t mangle -A PREROUTING -m mark  --mark 1 -j ACCEPT
   iptables -t mangle -A PREROUTING -m mark  --mark 2 -j ACCEPT
     #else we need to add a mark
   #mark incoming from eth19
   iptables -t mangle -A PREROUTING -d 192.168.19.253 -j MARK --set-mark 1
   #mark incoming from eth20
   iptables -t mangle -A PREROUTING -d 192.168.20.253 -j MARK --set-mark 2

   #save the mark for future packets
   iptables -t mangle -A PREROUTING -j CONNMARK --save-mark


   #outgoing on eth41, the local interface, no marks required so accept.
   iptables -t mangle -A POSTROUTING -o eth41 -j ACCEPT
   #check if the connection is already marked
   iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
   #accept marked packets
   iptables -t mangle -A POSTROUTING -m mark  --mark 1 -j ACCEPT
   iptables -t mangle -A POSTROUTING -m mark  --mark 2 -j ACCEPT

   #else we want to set the markings for the connection
   #on outgoing connection via eth19 = wan1 we set the mark 1
   iptables -t mangle -A POSTROUTING -d 192.168.19.253 -j MARK --set-mark 1
   #on outgoing connection via eth20 = wan2 we set the mark 2
   iptables -t mangle -A POSTROUTING -d 192.168.20.253 -j MARK --set-mark 2

   #save the mark for future packets from this connx
   #iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

now to have some rules to act on the marks

   ip rule add fwmark 1 table 101
   ip rule add fwmark 2 table 102

and finally some route tables  - 101 and 102
       #iinet network interface
       #we want to have rules for each packet that can be encountered in 
this table
       #local interfaces
       ip route add default via 192.168.19.254 dev eth19 table 101
       ip route add 192.168.41.0/24 dev eth41 table 101
       #no need for openvpn to get caught up in these tables
       #isp services
       ip route add  203.0.178.0/24 via 192.168.19.254 dev eth19 table 101

       #tpg network interface
       #we want to have rules for each packet that can be encountered in 
this table
       #local interfaces
       ip route add default via 192.168.20.254 dev eth20 table 102
       ip route add 192.168.41.0/24 dev eth41 table 102
       #no need for openvpn to get caught up in these tables
       #ISP services
       ip route add 203.12.160.0/24 via 192.168.20.254 dev eth20 table 102
       #internal networks

the grand plan is to route packets back out the wan connection the 
conversation was started from, for email server incoming connections, as 
well as maintaining the routes for outgoing connections from the local 
lan PCs.

       #the magic dual wan gateway route command
       ip route add default nexthop via 192.168.19.254 dev eth19 weight 1 \
               nexthop via 192.168.20.254 dev eth20 weight 1

       #some dodgy settings
       echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
       echo 1 > /proc/sys/net/ipv4/ip_forward
       ip route flush cache

regards

Brian

-----Original Message -----
 From: Grant Taylor
 Sent: 17/07/2008 1:09 AM
> On 07/16/08 05:33, Vladislav Kurz wrote:
>> Ok, I can read this, but i just wonder what is the difference and how 
>> can I use connmark. Just marking connections for fun? What other use 
>> they are for?
>
> The first thing that you need to realize about MARK is that it is only 
> good while the packets are in the kernel.  This means that the mark is 
> only retained from the point the packet comes in an interface and goes 
> out an interface or goes out to a local process.  Said another way is 
> when a packet comes in, gets marked and goes out and the reply comes 
> back in the mark is no longer there (because from the firewalls point 
> of view the reply is a completely different packet).
>
> This is where CONNMARK comes in to play.  CONNMARK is actually not 
> used to filter so much as it is used to remember a given packets mark 
> across different packets.  To re-use the above analogy you would check 
> to see if there is a CONNMARK associated with a packet and if there is 
> use it to set the MARK.  If the MARK has not been set (no stored 
> CONNMARK) you would set it your self.  Before the packet leaves the 
> system you would store the MARK to the CONNMARK for later use.
>
> Think of MARK as simple stateless filtering and CONNMARK as the state 
> that is stored across packets.
>
> Does that help?
>
>
>
> Grant. . . .
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: MARK and CONNMARK

[Jan Engelhardt]

On Thursday 2008-07-17 08:56, Brian Austin wrote:

> Hi,
>
> sorry to hijack the thread a little bit... Just say I want to mark the
> connections based on the network they are coming from/going to... does this
> look appropriate?

See http://dev.medozas.de/NF-Cookbook.txt (item 5) for a cooked 
approach.

Re: MARK and CONNMARK

[Brian]

still I am having some unexpected results

if I do


iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -m mark  --mark 3 -j ACCEPT
iptables -t mangle -A POSTROUTING -o eth41  -j MARK --set-mark 3
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

then

iptables -t mangle --list
yields

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
CONNMARK   0    --  anywhere             anywhere            CONNMARK 
restore
ACCEPT     0    --  anywhere             anywhere            MARK match 0x3
MARK       0    --  anywhere             anywhere            MARK set 0x3
CONNMARK   0    --  anywhere             anywhere            CONNMARK save

so it looks like it is ignoring the -o eth41 in the mark statement. It 
appears to be working right, but looks not right...

how can  I see the -o eth41 in the iptables -t mangle --list command or 
can I not



regards

Brian


Jan Engelhardt wrote:
> On Thursday 2008-07-17 08:56, Brian Austin wrote:
>
>   
>> Hi,
>>
>> sorry to hijack the thread a little bit... Just say I want to mark the
>> connections based on the network they are coming from/going to... does this
>> look appropriate?
>>     
>
> See http://dev.medozas.de/NF-Cookbook.txt (item 5) for a cooked 
> approach.
>   

Re: MARK and CONNMARK

[Grant Taylor]

On 07/18/08 09:32, Brian wrote:
> iptables -t mangle --list
> yields

...

> so it looks like it is ignoring the -o eth41 in the mark statement. It 
> appears to be working right, but looks not right...
> 
> how can  I see the -o eth41 in the iptables -t mangle --list command or 
> can I not

Add a "--verbose" (long) or "-v" (short) to the end of your command.

iptables -t mangle --list --verbose



Grant. . . .