* Question about marking traffic.
@ 2004-06-28 16:17 mortar
2004-06-28 16:31 ` Antony Stone
0 siblings, 1 reply; 6+ messages in thread
From: mortar @ 2004-06-28 16:17 UTC (permalink / raw)
To: netfilter
Hi
I marked few types of traffic:
$IPTABLES -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
$IPTABLES -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark $P2P
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 21 -j MARK --set-mark $FTP
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark $WWW
$IPTABLES -t mangle -A PREROUTING -p tcp -j CONNMARK --save-mark
With rules below I can count traffic of this types:
$IPTABLES -t mangle -A POSTROUTING -m mark --mark $P2P -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -m mark --mark $FTP -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -m mark --mark $WWW -j ACCEPT
But I want count all other traffic, not marked with marks $P2P, $FTP,
$WWW withe speparated rule. How can I do that?
--
Pozdrawiam
Marcin mailto:slacklist@op.pl
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Question about marking traffic.
2004-06-28 16:17 Question about marking traffic mortar
@ 2004-06-28 16:31 ` Antony Stone
2004-06-28 20:50 ` Re[2]: " mortar
0 siblings, 1 reply; 6+ messages in thread
From: Antony Stone @ 2004-06-28 16:31 UTC (permalink / raw)
To: netfilter
On Monday 28 June 2004 5:17 pm, mortar wrote:
> Hi
>
> I marked few types of traffic:
>
> $IPTABLES -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
> $IPTABLES -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
>
> $IPTABLES -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK
> --set-mark $P2P $IPTABLES -t mangle -A PREROUTING -p tcp --dport 21 -j
> MARK --set-mark $FTP $IPTABLES -t mangle -A PREROUTING -p tcp --dport 80
> -j MARK --set-mark $WWW
>
> $IPTABLES -t mangle -A PREROUTING -p tcp -j CONNMARK --save-mark
>
>
> With rules below I can count traffic of this types:
>
>
> $IPTABLES -t mangle -A POSTROUTING -m mark --mark $P2P -j ACCEPT
> $IPTABLES -t mangle -A POSTROUTING -m mark --mark $FTP -j ACCEPT
> $IPTABLES -t mangle -A POSTROUTING -m mark --mark $WWW -j ACCEPT
>
>
> But I want count all other traffic, not marked with marks $P2P, $FTP,
> $WWW withe speparated rule. How can I do that?
I believe unMARKed packets are the same as packets with MARK = 0
Therefore "$IPTABLES -t mangle -A POSTROUTING -m mark --mark 0" should count
the packets not marked with anything.
By the way, I suggest you remove the "-j ACCEPT" from the end of the lines in
your mangle table - that table should not be used for filtering actions
(that's what the filter table is for), and ACCEPT is a filtering action.
Rules without targets will still happily count packets for you.
Regards,
Antony.
--
Bill Gates has personally assured the Spanish Academy that he will never allow
the upside-down question mark to disappear from Microsoft word-processing
programs, which must be reassuring for millions of Spanish-speaking people,
though just a piddling afterthought as far as he's concerned.
- Lynne Truss, "Eats, Shoots and Leaves"
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re[2]: Question about marking traffic.
2004-06-28 16:31 ` Antony Stone
@ 2004-06-28 20:50 ` mortar
2004-06-28 21:04 ` Antony Stone
0 siblings, 1 reply; 6+ messages in thread
From: mortar @ 2004-06-28 20:50 UTC (permalink / raw)
To: Antony Stone
Witam
Monday, June 28, 2004, 6:31:40 PM, you wrote:
AS> I believe unMARKed packets are the same as packets with MARK = 0
And you are right :) Thanks.
AS> Rules without targets will still happily count packets for you.
Once again, thanks. :)
I have one more question. Maybe someone can help.
What about tracking connections on non standard ftp ports (or http), for
example 2121? How can i recognize them as a ftp (or http) connections
and proper mark them? I read about layer7-filter project, but is it
necessery?
--
Pozdrawiam
Marcin mailto:slacklist@op.pl
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Re[2]: Question about marking traffic.
2004-06-28 20:50 ` Re[2]: " mortar
@ 2004-06-28 21:04 ` Antony Stone
2004-06-29 9:29 ` Marco Colombo
0 siblings, 1 reply; 6+ messages in thread
From: Antony Stone @ 2004-06-28 21:04 UTC (permalink / raw)
To: netfilter
On Monday 28 June 2004 9:50 pm, mortar wrote:
> I have one more question. Maybe someone can help.
>
> What about tracking connections on non standard ftp ports (or http), for
> example 2121? How can i recognize them as a ftp (or http) connections
> and proper mark them?
I would answer this "you can recognise them just the same as you can recognise
them on 'standard' ports 21/20 or 80" - in other words (with a packet filter)
you can't - you just have to assume that ports = services (not always a safe
assumption).
> I read about layer7-filter project, but is it necessery?
Yes - if you want to know whether a traffic stream is HTTP (etc), you have to
look at OSI layer 7, because that's the only place HTTP means anything.
Netfilter works at OSI layers 3 & 4, therefore it can't identify what is HTTP
/ FTP / DNS etc - it can only guess.
Regards,
Antony.
--
"Reports that say that something hasn't happened are always interesting to me,
because as we know, there are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say we know there are some
things we do not know. But there are also unknown unknowns - the ones we
don't know we don't know."
- Donald Rumsfeld, US Secretary of Defence
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Question about marking traffic.
2004-06-28 21:04 ` Antony Stone
@ 2004-06-29 9:29 ` Marco Colombo
2004-06-30 20:09 ` Antony Stone
0 siblings, 1 reply; 6+ messages in thread
From: Marco Colombo @ 2004-06-29 9:29 UTC (permalink / raw)
To: netfilter
Antony Stone wrote:
> On Monday 28 June 2004 9:50 pm, mortar wrote:
>
>
>>I have one more question. Maybe someone can help.
>>
>>What about tracking connections on non standard ftp ports (or http), for
>>example 2121? How can i recognize them as a ftp (or http) connections
>>and proper mark them?
>
>
> I would answer this "you can recognise them just the same as you can recognise
> them on 'standard' ports 21/20 or 80" - in other words (with a packet filter)
> you can't - you just have to assume that ports = services (not always a safe
> assumption).
>
>
>>I read about layer7-filter project, but is it necessery?
>
>
> Yes - if you want to know whether a traffic stream is HTTP (etc), you have to
> look at OSI layer 7, because that's the only place HTTP means anything.
>
> Netfilter works at OSI layers 3 & 4, therefore it can't identify what is HTTP
> / FTP / DNS etc - it can only guess.
Not completely true, IMHO. conntrack modules look well above the TCP level
(OSI levels make little sense for the TCP/IP protocol suite, they simply
don't fit perfectly) otherwise they won't work. ip_conntrack_ftp does look
at the FTP protocol, and is able to recognise incoming (data) connections
as RELATED to the control one. But I don't know how to use such knowledge
to detect FTP running on non-stardard ports, particularly in matching a
rule.
.TM.
--
____/ ____/ /
/ / / Marco Colombo
___/ ___ / / Technical Manager
/ / / ESI s.r.l.
_____/ _____/ _/ Colombo@ESI.it
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Question about marking traffic.
2004-06-29 9:29 ` Marco Colombo
@ 2004-06-30 20:09 ` Antony Stone
0 siblings, 0 replies; 6+ messages in thread
From: Antony Stone @ 2004-06-30 20:09 UTC (permalink / raw)
To: netfilter
On Tuesday 29 June 2004 10:29 am, Marco Colombo wrote:
> Antony Stone wrote:
> >
> > Netfilter works at OSI layers 3 & 4, therefore it can't identify what is
> > HTTP / FTP / DNS etc - it can only guess.
>
> Not completely true, IMHO. conntrack modules look well above the TCP level
> (OSI levels make little sense for the TCP/IP protocol suite, they simply
> don't fit perfectly) otherwise they won't work. ip_conntrack_ftp does look
> at the FTP protocol, and is able to recognise incoming (data) connections
> as RELATED to the control one.
I agree with what you say, however the connection tracking helper modules such
as ip_conntrack_ftp look at such specific and restricted parts of the
application layer data that I wouldn't say they "work at that layer" in the
same sense that a proper proxy system does, for example.
> But I don't know how to use such knowledge
> to detect FTP running on non-stardard ports, particularly in matching a
> rule.
Indeed, because that's not what netfilter's knowledge of the application layer
is for. There is also a "string" match within netfilter, which does look
(completely generically) inside the payload of the packet, however it has
sufficient restrictions and caveats regarding its effective use that again I
would no consider this to mean that netfilter effectively "works" at the
application layer.
Regards,
Antony.
--
Bill Gates has personally assured the Spanish Academy that he will never allow
the upside-down question mark to disappear from Microsoft word-processing
programs, which must be reassuring for millions of Spanish-speaking people,
though just a piddling afterthought as far as he's concerned.
- Lynne Truss, "Eats, Shoots and Leaves"
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2004-06-30 20:09 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-06-28 16:17 Question about marking traffic mortar
2004-06-28 16:31 ` Antony Stone
2004-06-28 20:50 ` Re[2]: " mortar
2004-06-28 21:04 ` Antony Stone
2004-06-29 9:29 ` Marco Colombo
2004-06-30 20:09 ` Antony Stone
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.