Hi! If I have the ftp connection tracking module compiled in, how do I match ftp packets (I know ftp connections are tracked, but I want to match it to count the traffic / shape it, etc) You can obviously match active and passive ftp traffic as follows: iptables -A FORWARD -s $net -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED iptables -A FORWARD -d $net -p tcp --sport 21 -m state --state ESTABLISHED,RELATED and for active ftp: iptables -A FORWARD -s $net -p tcp --dport 20 -m state --state ESTABLISHED iptables -A FORWARD -d $net -p tcp --sport 20 -m state --state ESTABLISHED,RELATED and for passive ftp: iptables -A FORWARD -s $net -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED iptables -A FORWARD -d $net -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED where $net is the network which is making the connection. The problem is that the passive ftp rules will also match traffic from other protocols which uses ports higher than 1024. Is there no way I can match traffic which is matched by a certain connection tracking module (and only that module), e.g. iptables -A FORWARD -s $net -m conntrack --proto ftp iptables -A FORWARD -s $net -m conntrack --proto irc iptables -A FORWARD -s $net -m conntrack --proto h323 etc. -- Regards Abraham I''m having BEAUTIFUL THOUGHTS about the INSIPID WIVES of smug and wealthy CORPORATE LAWYERS ... ___________________________________________________ Abraham vd Merwe - Frogfoot Networks CC 9 Kinnaird Court, 33 Main Street, Newlands, 7700 Phone: +27 21 686 1674 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net
On Wed, 2003-03-12 at 15:18, Abraham van der Merwe wrote:> iptables -A FORWARD -s $net -m conntrack --proto ftp > iptables -A FORWARD -s $net -m conntrack --proto irc > iptables -A FORWARD -s $net -m conntrack --proto h323To do so you can use the conmarck module (from iptable pom) : the mark of the packet is given following the conntrack. It''s a bit tricky to use (you have to restore mark) but it do the job. -- Eric Leblond <eric@regit.org> Regit.org
On 12 Mar 2003, Eric Leblond wrote:> On Wed, 2003-03-12 at 15:18, Abraham van der Merwe wrote: > > iptables -A FORWARD -s $net -m conntrack --proto ftp > > iptables -A FORWARD -s $net -m conntrack --proto irc > > iptables -A FORWARD -s $net -m conntrack --proto h323 > > To do so you can use the conmarck module (from iptable pom) : the mark > of the packet is given following the conntrack. It''s a bit tricky to use > (you have to restore mark) but it do the job.This also interests me. Is there any HOWTO or URL to enlight this? Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML (012) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL Sao Jose dos Campos / \ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Eric!> > iptables -A FORWARD -s $net -m conntrack --proto ftp > > iptables -A FORWARD -s $net -m conntrack --proto irc > > iptables -A FORWARD -s $net -m conntrack --proto h323 > > To do so you can use the conmarck module (from iptable pom) : the mark > of the packet is given following the conntrack. It''s a bit tricky to use > (you have to restore mark) but it do the job.I take it you are talking about the connmark match. I don''t see how you can use that to track of the connection. All you can do is match/change packets with a certain mark value. But how do you know what mark value is assigned to packets matched by a specific connection tracking module. For example, let''s say I wanted to match h323 packets. How would I know what MARK value to use? -- Regards Abraham Children are like cats, they can tell when you don''t like them. That''s when they come over and violate your body space. ___________________________________________________ Abraham vd Merwe - Frogfoot Networks CC 9 Kinnaird Court, 33 Main Street, Newlands, 7700 Phone: +27 21 686 1674 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net
Le mer 12/03/2003 à 22:25, Abraham van der Merwe a écrit :> For example, > let''s say I wanted to match h323 packets. How would I know what MARK value > to use?Because we let the conntrack do the job for us. it set the mark almost by itself using information given by the module. I wrote a very little howto : http://home.regit.org/connmark.html BR, -- Eric Leblond <eric@regit.org> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Le sam 15/03/2003 à 21:18, Manuel Samper a écrit :> Eric Leblond, on Wednesday, Mar 12 2003 at 16:03, wrote:> so, why is needed the "--restore-mark/--save-mark"?. I guess that the tc > filters (e.g. fwmark) can only see/manage the packets marked by the mark > module a not by connmark, it''s correct?yes, it is a different mark. Thus you need to restore it to have a standard fwmark. (by the way it''s in the mini-howto)> Is there any better documentation/examples?I don''t think for the moment. I did no find anything about this patch and I had to experiment to find how it works. -- Eric Leblond <eric@regit.org> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On 15 Mar 2003 22:12:31 +0100 Eric Leblond <eric@regit.org> wrote:> Le sam 15/03/2003 à 21:18, Manuel Samper a écrit : > > Eric Leblond, on Wednesday, Mar 12 2003 at 16:03, wrote: > > > so, why is needed the "--restore-mark/--save-mark"?. I guess that > > the tc filters (e.g. fwmark) can only see/manage the packets marked > > by the mark module a not by connmark, it''s correct?This restoring shouldn''t it be done at PREROUTING chain instead of POSTROUTING as pointed in you mini HOWTO or it makes no difference? -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ethy H. Brito, on Monday, Mar 17 2003 at 21:17, wrote:> On 15 Mar 2003 22:12:31 +0100 > Eric Leblond <eric@regit.org> wrote: > > > Le sam 15/03/2003 à 21:18, Manuel Samper a écrit : > > > Eric Leblond, on Wednesday, Mar 12 2003 at 16:03, wrote: > > > > > so, why is needed the "--restore-mark/--save-mark"?. I guess that > > > the tc filters (e.g. fwmark) can only see/manage the packets marked > > > by the mark module a not by connmark, it''s correct? > > This restoring shouldn''t it be done at PREROUTING chain instead of > POSTROUTING as pointed in you mini HOWTO or it makes no difference?I''am wondering the same, and still need to do some testing (but I have some version problem between iptables-tools/kernel that prevents me from using CONNMARK). _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Le lun 17/03/2003 à 21:30, Manuel Samper a écrit :> Ethy H. Brito, on Monday, Mar 17 2003 at 21:17, wrote: > > This restoring shouldn''t it be done at PREROUTING chain instead of > > POSTROUTING as pointed in you mini HOWTO or it makes no difference?All depends if you use an ingress policy. If your doing only egress then restore only in POSTROUTING is not a problem. But if your doing ingress you can take advantage of the restoring the mark in PREROUTING. Thanks to have point this ,I add this to the mini-howto. -- Eric Leblond <eric@regit.org> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thu, 2003-03-13 at 08:50, Eric Leblond wrote:> Le mer 12/03/2003 à 22:25, Abraham van der Merwe a écrit :> I wrote a very little howto : > http://home.regit.org/connmark.htmlI just rewrite the mini-howto because I found a best way to do the thing. The code is now the following : iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT iptables -A POSTROUTING -m mark --mark 0 -p tcp --dport 21 -t mangle -j MARK --set-mark 1 iptables -A POSTROUTING -m mark --mark 0 -p tcp --dport 80 -t mangle -j MARK --set-mark 2 iptables -A POSTROUTING -m mark --mark 0 -t mangle -p tcp -j MARK --set-mark 3 iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark It use save-mark to convert fwmark into connmark, so all the packet of the connection get the correspondant mark. More explanation on the site. -- Eric Leblond <eric@regit.org> Regit.org
After taking a look at the information available on this I was a little confused, I''m posting my working configuration with a little bit of explanation, it avoids use of restore mark which was causing me trouble as I am using marking for QoS and routing control. I hope this is helpfull. In my set up I have an FTP proxy on my firewall and I wanted to catch downloaded ftp traffic for Qos. # Location of iptables $IPTABLES=/sbin/iptables # Device facing the internet $EXTDEV=eth1 # uid of user that proxy runs as $FTP_PROXY = 500 # All networks that are not local $EXTERNAL = ! 192.168.0.0/16 # Marks for outgoing and incoming ftp proxy traffic $FTP_PROXY_TO_INTERNET=0x20 $INTERNET_TO_FTP_PROXY=0x21 # Firstly I mark traffic from my proxy to the internet $IPTABLES -t mangle -A OUTPUT -o $EXTDEV -m owner --uid-owner $FTP_PROXY -d $EXTERNAL -j MARK --set-mark $FTP_PROXY_TO_INTERNET $IPTABLES -t mangle -A OUTPUT -o $EXTDEV -p TCP -d $EXTERNAL --dport 21 -j MARK --set-mark $FTP_PROXY_TO_INTERNET # Next I save the iptables mark to the connection tracking mark, but only if the iptables mark is ftp proxy to internet $IPTABLES -t mangle -A POSTROUTING -o $EXTDEV -m mark --mark $FTP_PROXY_TO_INTERNET -j CONNMARK --save-mark # Now we look for the connmark on incoming traffic and manually mark it as incoming with the iptables mark, # restoring the mark would give the same mark for outgoing and incoming, but that might not be a problem for you. $IPTABLES -t mangle -A PREROUTING -i $EXTDEV -m connmark --mark $FTP_PROXY_TO_INERNET -j MARK --set-mark $INTERNET_TO_FTP_PROXY _____________________________________________________________ David Watson, Network Manager, Team17 Software Ltd. Phone: +44-1924-267776 Fax: +44-1924-267658 _____________________________________________________________ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/