thr3ads.net - LARTC - iptables mangle table [Jun 2002]

If this information is useful, please help other people find it:
Share via:
Tadas
2002-Jun-13 15:20 UTC
iptables mangle table

Hello,

I can''t understand clearly how packets traverse mangle table under
iptables (kernel 2.4.18). I would like to match all ACK and SYN packets. There
is local
servies and masquerading. So, I wrote such filters:

iptables -t mangle -A OUTPUT -o $PPP -p tcp -m tcp --tcp-flags SYN SYN -j MARK
--set-mark=200
iptables -t mangle -A INPUT -p tcp -m tcp --tcp-flags SYN SYN -j MARK
--set-mark=200
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN SYN -j MARK
--set-mark=200

iptables -t mangle -A OUTPUT -o $PPP -p tcp -m tcp --tcp-flags ACK ACK -j MARK
--set-mark=200
iptables -t mangle -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j MARK
--set-mark=200
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags ACK ACK -j MARK
--set-mark=200


iptablles -L -v -t mangle shows me:
########################
Chain PREROUTING (policy ACCEPT 8643 packets, 1826K bytes)
 pkts bytes target     prot opt in     out     source               destination
    5   300 MARK       tcp  --  any    any     anywhere             anywhere    
tcp flags:SYN/SYN MARK set 0xc8
 1263  215K MARK       tcp  --  any    any     anywhere             anywhere    
tcp flags:ACK/ACK MARK set 0xc8
   15  2610 MARK       udp  --  eth0   any     anywhere             anywhere    
udp spt:domain MARK set 0xc8
    0     0 MARK       udp  --  any    any     anywhere             anywhere    
udp dpt:domain MARK set 0xc8
 1985  283K IMQ        all  --  eth0   any     anywhere             anywhere    
IMQ: todev 0

Chain INPUT (policy ACCEPT 8643 packets, 1826K bytes)
 pkts bytes target     prot opt in     out     source               destination
    5   300 MARK       tcp  --  any    any     anywhere             anywhere    
tcp flags:SYN/SYN MARK set 0xc8
 1263  215K MARK       tcp  --  any    any     anywhere             anywhere    
tcp flags:ACK/ACK MARK set 0xc8
    0     0 MARK       tcp  --  eth0   any     proxy.takas.lt       anywhere    
tcp spt:webcache MARK set 0x12c
    0     0 MARK       tcp  --  eth0   any     anywhere             anywhere    
tcp spt:www MARK set 0x12c
   15  2610 MARK       udp  --  eth0   any     anywhere             anywhere    
udp spt:domain MARK set 0xc8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4513 packets, 373K bytes)
 pkts bytes target     prot opt in     out     source               destination
    5   300 MARK       tcp  --  any    eth0    anywhere             anywhere    
tcp flags:SYN/SYN MARK set 0xc8
 1843  155K MARK       tcp  --  any    eth0    anywhere             anywhere    
tcp flags:ACK/ACK MARK set 0xc8
    0     0 MARK       tcp  --  any    eth0    anywhere            
proxy.takas.lt     tcp dpt:webcache MARK set 0x12c
    0     0 MARK       tcp  --  any    eth0    anywhere            
proxy.takas.lt     tcp dpt:www MARK set 0x12c
   15  1050 MARK       udp  --  any    any     anywhere             anywhere    
udp dpt:domain MARK set 0xc8

Chain POSTROUTING (policy ACCEPT 4600 packets, 383K bytes)
 pkts bytes target     prot opt in     out     source               destination
#####################

I noticed that SYN packet count is the same on all of the chains. ACK is the
same on the PREROUTING and and INPUT. So, what is the scheme?

By the way, what happens when packets enters IMQ target? Logically, it
is queued in the imq0 device and traverses all filters as new packet,
isn''t it?

Bye,
Tadas
LARTC - Jun 2002 - iptables mangle table

iptables mangle table
