Hi Pascal Thans for quick answer All interfaces are configured as bridges for themselves. After reading more than twice doc about CONNMARK and MARK I'm tring to divide problem for a simple solution. First I want to think about packages in/out from local softwares at firewall. I made this: iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ----cut---- # mark only NEW packages that enter firewall at wan1 with mark =0x1 iptables -t mangle -A PREROUTING -i wan1 -m conntrack --ctstate NEW -j MARK --mark 0x1 # save NEW packages and use the same mark above to mark this connection iptables -t mangle -A PREROUTING -i wan1 -j CONNMARK --save-mark # connectons that are ESTABLISHED or RELATED return the mark from conntrack iptables -t mangle -A PREROUTING -i wan1 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore mark # mark only NEW packages that enter firewall at wan2 with mark =0x2 iptables -t mangle -A PREROUTING -i wan2 -m conntrack --ctstate NEW -j MARK --mark 0x2 # save NEW packages and use the same mark above to mark this connection iptables -t mangle -A PREROUTING -i wan2 -j CONNMARK --save-mark # connectons that are ESTABLISHED or RELATED return the mark from conntrack iptables -t mangle -A PREROUTING -i wan2 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore mark ok with rules above I 'll mark packages and connections that could be direct to firewall or direct to lan. Am I right? Second mark pakages generated for local applications at firewall. # mark only NEW packages that goes out from firewall at wan1 with mark =0x1 iptables -t mangle -A OUTPUT -i wan1 -m conntrack --ctstate NEW -j MARK --mark 0x1 # save NEW packages and use the same mark above to mark this connection iptables -t mangle -A OUTPUT -i wan1 -j CONNMARK --save-mark # connectons that are ESTABLISHED or RELATED return the mark from conntrack iptables -t mangle -A OUTPUT -i wan1 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore mark # mark only NEW packages that goes out from firewall at wan2 with mark =0x2 iptables -t mangle -A OUTPUT -i wan2 -m conntrack --ctstate NEW -j MARK --mark 0x2 # save NEW packages and use the same mark above to mark this connection iptables -t mangle -A OUTPUT -i wan2 -j CONNMARK --save-mark # connectons that are ESTABLISHED or RELATED return the mark from conntrack iptables -t mangle -A OUTPUT -i wan2 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore mark With rule above I mark all packaes tha are gererated fom applications at firewall, correct? But looking at conntrack I can observer that some packages from firewall are not marked and some packages that enter flocal applications are not market too. Where is my mistake? conntrack -L --src=192.168.1.2 --mark=0 icmp 1 26 src=192.168.1.2 dst=200.160.2.3 type=8 code=0 id=29090 src=200.160.2.3 dst=192.168.1.2 type=0 code=0 id=29090 mark=0 use=1 icmp 1 19 src=192.168.1.2 dst=187.87.149.130 type=8 code=0 id=29100 src=187.87.149.130 dst=192.168.1.2 type=0 code=0 id=29100 mark=0 use=1 icmp 1 0 src=192.168.1.2 dst=200.244.212.179 type=8 code=0 id=29028 src=200.244.212.179 dst=192.168.1.2 type=0 code=0 id=29028 mark=0 use=1 #all icmp are unmarked and this connection below should have been marked as it is a vpn connection from fiorewall to one of uor clients tcp 6 431999 ESTABLISHED src=192.168.1.2 dst=201.90.201.178 sport=55695 dport=1194 src=201.90.xxx.xxx dst=192.168.1.2 sport=1194 dport=55695 [ASSURED] mark=0 use=1 All this entries just below are correct ( marked as 1) conntrack -L --src=192.168.1.2 --mark=1 udp 17 22 src=192.168.1.2 dst=205.251.197.191 sport=48073 dport=53 src=205.251.197.191 dst=192.168.1.2 sport=53 dport=48073 mark=1 use=1 udp 17 22 src=192.168.1.2 dst=69.171.255.11 sport=41794 dport=53 src=69.171.255.11 dst=192.168.1.2 sport=53 dport=41794 mark=1 use=1 udp 17 15 src=192.168.1.2 dst=69.171.255.11 sport=55388 dport=53 src=69.171.255.11 dst=192.168.1.2 sport=53 dport=55388 mark=1 use=1 conntrack v1.4.4 (conntrack-tools): 3 flow entries have been shown. root@zeus:/usr/share/painel-loadbalance# conntrack -L --dst=192.168.1.2 --mark=0 tcp 6 63 TIME_WAIT src=187.87.149.xxx dst=192.168.1.2 sport=37590 dport=10051 src=192.168.1.2 dst=187.87.149.130 sport=10051 dport=37590 [ASSURED] mark=0 use=1 tcp 6 111 TIME_WAIT src=187.87.149.xxx dst=192.168.1.2 sport=37723 dport=10051 src=192.168.1.2 dst=187.87.149.130 sport=10051 dport=37723 [ASSURED] mark=0 use=1 tcp 6 78 TIME_WAIT src=187.87.149.xxx dst=192.168.1.2 sport=37593 dport=10051 src=192.168.1.2 dst=187.87.149.130 sport=10051 dport=37593 [ASSURED] mark=0 use=1 tcp 6 4 TIME_WAIT src=200.229.135.xxx dst=192.168.1.2 sport=15843 dport=10051 src=192.168.1.2 dst=200.229.135.3 sport=10051 dport=15843 [ASSURED] mark=0 use=1 # all this connections should be marked to 1 because our clients make a connection to our zabbix server that is an application located at firewall conntrack -L --dst=192.168.1.2 --mark=1 conntrack v1.4.4 (conntrack-tools): 0 flow entries have been shown. Thanks in advanced 2017-10-24 19:57 GMT-02:00 Pascal Hambourg <pascal@xxxxxxxxxxxxxxx>: > Le 24/10/2017 à 00:15, paulo bruck a écrit : >> >> >> lan------- firewall--------- wan1------internet >> |-----------wan2 -----internet >> >> All interfaces as bridges > > > Do you mean that lan, wan1 and wan2 are ports in the same bridge ? > Or they are themselves bridges ? > >> iptables -t mangle -A PREROUTING -i wan1 -m conntrack --ctstate NEW -j >> CONNMARK --set-mark 0x1 > > > Sets connection mark to 1. > >> iptables -t mangle -A PREROUTING -i wan1 -j CONNMARK --save-mark > > > IIUC, copies packet mark (unset so far) to the connection mark, overwriting > the previous value (1). Why are you doing this ? > >> iptables -t mangle -A PREROUTING -i wan1 -m conntrack --ctstate >> ESTABLISHED,RELATED -j CONNMARK --restore-mark > > > Copies the connection mark (now unset) to the packet mark. > >> I can reach apache but looking at conntrack -L I see : >> >> tcp 6 107 TIME_WAIT src=192.241.152.243 dst=192.168.1.2 >> sport=53545 dport=80 src=192.168.1.2 dst=192.241.152.243 sport=80 >> dport=53545 [ASSURED] mark=0 use=1 >> tcp 6 103 TIME_WAIT src=192.241.152.243 dst=192.168.1.2 >> sport=53544 dport=80 src=192.168.1.2 dst=192.241.152.243 sport=80 >> dport=53544 [ASSURED] mark=0 use=1 >> >> >> Should be mark=1 ?? > > > No. See above comments. > >> How can I force mark=1 > > > Do not --save-mark when the packet mark is unset. > > Why do you need connection marks and packet marks ? -- Paulo Ricardo Bruck consultor tel 011 3596-4881/4882 011 98140-9184 (TIM) http://www.contatogs.com.br http://www.protejasuarede.com.br gpg AAA59989 at wwwkeys.us.pgp.net -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
