LARTC - Feb 2007 - Marks not working...

Hi,

I am experimenting a little bit with my firewall and I don''t seem to
get
my head round marks ...

I try to mark p2p packets generated on the firewall in the output chain
and then try to match that mark either in NAT OUTPUT or POSTROUTING

I don''t seem to get the expected result. 

Any help or clue would be more than welcome.


root@droopy:~/firewall > iptables-view -t mangle
Chain PREROUTING (policy ACCEPT 33890 packets, 16M bytes) num   pkts bytes
target     prot opt in     out     source destination

Chain INPUT (policy ACCEPT 24751 packets, 12M bytes) num   pkts bytes target    
prot opt in     out     source destination

Chain FORWARD (policy ACCEPT 9146 packets, 4557K bytes) num   pkts bytes target 
prot opt in     out     source destination

Chain OUTPUT (policy ACCEPT 59M packets, 61G bytes) num   pkts bytes target    
prot opt in     out     source destination
1        3   324 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0         
ipp2p v0.8.2 --ipp2p LOG flags 0 level 4 prefix ` OUT IPP2P ''
2        3   324 MARK       0    --  *      *       0.0.0.0/0 0.0.0.0/0         
ipp2p v0.8.2 --ipp2p MARK set 0x2

Chain POSTROUTING (policy ACCEPT 32911 packets, 7397K bytes) num   pkts bytes
target     prot opt in     out     source destination
root@droopy:~/firewall > iptables-view -t nat
Chain PREROUTING (policy ACCEPT 973 packets, 62249 bytes) num   pkts bytes
target     prot opt in     out     source destination

Chain POSTROUTING (policy ACCEPT 227 packets, 14178 bytes) num   pkts bytes
target     prot opt in     out     source destination
1        0     0 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0         
MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P ''

Chain OUTPUT (policy ACCEPT 226 packets, 14172 bytes) num   pkts bytes target   
prot opt in     out     source destination`
1        0     0 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0         
MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P ''

T o M

Are you using your firewall as a router, ie is the p2p traffic coming
from another PC through the firewall?

If so, I think your rules need to go in the FORWARD chain not in the
OUTPUT chain.

Another thing to remember is that ipp2p is not 100% reliable at
matching. Have you tried something simpler first such as matching on
source address?

Andy Beverley


On Sat, 2007-02-03 at 01:44 +0000, tomdeb wrote:
> Hi,
> 
> I am experimenting a little bit with my firewall and I don''t seem
to get
> my head round marks ...
> 
> I try to mark p2p packets generated on the firewall in the output chain
> and then try to match that mark either in NAT OUTPUT or POSTROUTING
> 
> I don''t seem to get the expected result. 
> 
> Any help or clue would be more than welcome.
> 
> 
> root@droopy:~/firewall > iptables-view -t mangle
> Chain PREROUTING (policy ACCEPT 33890 packets, 16M bytes) num   pkts bytes
target     prot opt in     out     source destination
> 
> Chain INPUT (policy ACCEPT 24751 packets, 12M bytes) num   pkts bytes
target     prot opt in     out     source destination
> 
> Chain FORWARD (policy ACCEPT 9146 packets, 4557K bytes) num   pkts bytes
target     prot opt in     out     source destination
> 
> Chain OUTPUT (policy ACCEPT 59M packets, 61G bytes) num   pkts bytes target
prot opt in     out     source destination
> 1        3   324 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0    
ipp2p v0.8.2 --ipp2p LOG flags 0 level 4 prefix ` OUT IPP2P ''
> 2        3   324 MARK       0    --  *      *       0.0.0.0/0 0.0.0.0/0    
ipp2p v0.8.2 --ipp2p MARK set 0x2
> 
> Chain POSTROUTING (policy ACCEPT 32911 packets, 7397K bytes) num   pkts
bytes target     prot opt in     out     source destination
> root@droopy:~/firewall > iptables-view -t nat
> Chain PREROUTING (policy ACCEPT 973 packets, 62249 bytes) num   pkts bytes
target     prot opt in     out     source destination
> 
> Chain POSTROUTING (policy ACCEPT 227 packets, 14178 bytes) num   pkts bytes
target     prot opt in     out     source destination
> 1        0     0 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0    
MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P ''
> 
> Chain OUTPUT (policy ACCEPT 226 packets, 14172 bytes) num   pkts bytes
target     prot opt in     out     source destination`
> 1        0     0 LOG        0    --  *      *       0.0.0.0/0 0.0.0.0/0    
MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P ''
> 
> T o M
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc