[LARTC] iptables mangle table

Tadas <tadas@xxxxxxxxxxxxxxxxxxxx> · Thu, 13 Jun 2002 17:20:25 +0200

Hello,

I can't understand clearly how packets traverse mangle table under
iptables (kernel 2.4.18). I would like to match all ACK and SYN packets. There is local
servies and masquerading. So, I wrote such filters:

iptables -t mangle -A OUTPUT -o $PPP -p tcp -m tcp --tcp-flags SYN SYN -j MARK --set-mark=200
iptables -t mangle -A INPUT -p tcp -m tcp --tcp-flags SYN SYN -j MARK --set-mark=200
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN SYN -j MARK --set-mark=200

iptables -t mangle -A OUTPUT -o $PPP -p tcp -m tcp --tcp-flags ACK ACK -j MARK --set-mark=200
iptables -t mangle -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j MARK --set-mark=200
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags ACK ACK -j MARK --set-mark=200

iptablles -L -v -t mangle shows me:
########################
Chain PREROUTING (policy ACCEPT 8643 packets, 1826K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    5   300 MARK       tcp  --  any    any     anywhere             anywhere           tcp flags:SYN/SYN MARK set 0xc8 
 1263  215K MARK       tcp  --  any    any     anywhere             anywhere           tcp flags:ACK/ACK MARK set 0xc8 
   15  2610 MARK       udp  --  eth0   any     anywhere             anywhere           udp spt:domain MARK set 0xc8 
    0     0 MARK       udp  --  any    any     anywhere             anywhere           udp dpt:domain MARK set 0xc8 
 1985  283K IMQ        all  --  eth0   any     anywhere             anywhere           IMQ: todev 0 

Chain INPUT (policy ACCEPT 8643 packets, 1826K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    5   300 MARK       tcp  --  any    any     anywhere             anywhere           tcp flags:SYN/SYN MARK set 0xc8 
 1263  215K MARK       tcp  --  any    any     anywhere             anywhere           tcp flags:ACK/ACK MARK set 0xc8 
    0     0 MARK       tcp  --  eth0   any     proxy.takas.lt       anywhere           tcp spt:webcache MARK set 0x12c 
    0     0 MARK       tcp  --  eth0   any     anywhere             anywhere           tcp spt:www MARK set 0x12c 
   15  2610 MARK       udp  --  eth0   any     anywhere             anywhere           udp spt:domain MARK set 0xc8 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4513 packets, 373K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    5   300 MARK       tcp  --  any    eth0    anywhere             anywhere           tcp flags:SYN/SYN MARK set 0xc8 
 1843  155K MARK       tcp  --  any    eth0    anywhere             anywhere           tcp flags:ACK/ACK MARK set 0xc8 
    0     0 MARK       tcp  --  any    eth0    anywhere             proxy.takas.lt     tcp dpt:webcache MARK set 0x12c 
    0     0 MARK       tcp  --  any    eth0    anywhere             proxy.takas.lt     tcp dpt:www MARK set 0x12c 
   15  1050 MARK       udp  --  any    any     anywhere             anywhere           udp dpt:domain MARK set 0xc8 

Chain POSTROUTING (policy ACCEPT 4600 packets, 383K bytes)
 pkts bytes target     prot opt in     out     source               destination
#####################

I noticed that SYN packet count is the same on all of the chains. ACK is the
same on the PREROUTING and and INPUT. So, what is the scheme?

By the way, what happens when packets enters IMQ target? Logically, it
is queued in the imq0 device and traverses all filters as new packet,
isn't it?

Bye,
Tadas
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] iptables mangle table

Linux Advanced Routing and Traffic Control