On Thu, 2004-11-04 at 10:46 +0200, Abraham van der Merwe wrote:
> Hi Eric >@2004.11.03_21:07:48_+0200
>
> Ok, sorry I didn't paste the real commands. It is actually:
>
> # rules to send all traffic to user-defined chain
> iptables -t mangle -N TRACK
> iptables -t mangle -A POSTROUTING -j TRACK
>
> # a rule to see how much ftp traffic is matched
> iptables -t mangle -A POSTROUTING -m mark --mark 2
>
> # rules to track ftp
> iptables -t mangle -A TRACK -p tcp -j CONNMARK --restore-mark
> iptables -t mangle -A TRACK -p tcp -m mark ! --mark 0 -j RETURN
> iptables -t mangle -A TRACK -p tcp --dport 21 -j MARK --set-mark 2
> iptables -t mangle -A TRACK -j CONNMARK --save-mark
>
> In other words, it returns from a user-defined chain and the mark is in the
> top level chain and will always be matched.
ok
> With above, it doesn't match all the ftp traffic. It definitely matches
> some, but I think it is just the port 21 traffic, not the port 20 (ftp-data)
> stuff which should be picked up by the connection tracking.
I just slightly modify my configuration to check if traffic to port 20
was matched. This is the case. Here's my configuration :
# We restore mark at entry
iptables -A PREROUTING -t mangle -m mark --mark 0x0 -j CONNMARK --restore-mark
# We mark new connection
# FORWARD traffic
iptables -A FORWARD -t mangle -m mark --mark 0x0 -p tcp -m state --state NEW -m multiport --dport 6346,4662,4661 -j MARK --set-mark 5
iptables -A FORWARD -t mangle -m mark --mark 0x0 -p tcp -m state --state NEW -m multiport --dport 80 -j MARK --set-mark 4
iptables -A FORWARD -t mangle -m mark --mark 0x0 -p tcp -m state --state NEW -m multiport --dport 21 -j MARK --set-mark 3
iptables -A FORWARD -t mangle -m mark --mark 0x0 -p tcp -m multiport --dport 20
iptables -A FORWARD -t mangle -m mark --mark 0x3 -p tcp -m multiport --dport 20
...
SIMILAR line in OUTPUT INPUT
...
# We save the mark
iptables -A POSTROUTING -t mangle -m mark ! --mark 0x0 -j CONNMARK --save-mark
I look at stats with "iptables -L -t mangle -nv" after a little bit of
ftp in passive mode :
Chain FORWARD (policy ACCEPT 21M packets, 13G bytes)
pkts bytes target prot opt in out source destination
53 2960 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 state NEW multiport dports 6346,4662,4661 MARK set 0x5
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 state NEW multiport dports 80 MARK set 0x4
1 60 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 state NEW multiport dports 21 MARK set 0x3
0 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 multiport dports 20
3 164 tcp -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x3 multiport dports 20
So passive ftp on port 20 has the mark that was given on port 21.
About my system :
kernel 2.6.8
lsmod extract :
ip_nat_ftp 4080 0
iptable_nat 19884 2 ip_nat_ftp
ip_tables 15488 10 ipt_MARK,ipt_mark,iptable_mangle,ipt_multiport,ipt_state,ipt_REJECT,ipt_ULOG,iptable_filter,ipt_CONNMARK,iptable_nat
ip_conntrack_ftp 71088 1 ip_nat_ftp
ip_conntrack 28296 5 ipt_state,ipt_CONNMARK,ip_nat_ftp,iptable_nat,ip_conntrack_ftp
BR,
--
Eric Leblond <eric@xxxxxxxxx>
NuFW, Now User Filtering Works : http://www.nufw.org
Attachment:
signature.asc
Description: This is a digitally signed message part
