#302 Rule with option Tag and action Accept in Mangle Prerouting

open
Vadim Kurland
5
2011-12-20
2011-12-20
Niumar
No

Today when I build a rule with a mark defined on the option Tag and choose ACCEPT as action (in order to obtain "Make Tag and Classify actions terminating"), fwbuilder build the mark rules in the mangle prerouting and and the accept onees in the filter input. I would like to suggest to build them all in the mangle prerouting table as exposed in the example bellow.

Exemple:

nº | from| to | service | iface | dir | action | time | options
#0 | any | firewall | http | eth0 | in | ACCEPT | any | state less and mark 0x1
#1 | any | firewall | https | eth0 | in | ACCEPT | any | state less and mark 0x1
#2 | any | firewall | any | eth0 | in | ACCEPT | any | state less and mark 0x2

How them are builded today:

$IPTABLES -t mangle -A PREROUTING -i eth0 -p tcp -m tcp -d 10.4.0.1 --dport 80 -j MARK --set-mark 0x1
$IPTABLES -t mangle -A PREROUTING -i eth0 -p tcp -m tcp -d 10.4.0.1 --dport 443 -j MARK --set-mark 0x1
$IPTABLES -t mangle -A PREROUTING -i eth0 -d 10.4.0.1 -j MARK --set-mark 0x2

$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -j ACCEPT

How I propose:

$IPTABLES -t mangle -A PREROUTING -i eth0 -p tcp -m tcp -d 10.4.0.1 --dport 80 -j MARK --set-mark 0x1
$IPTABLES -t mangle -A PREROUTING -i eth0 -p tcp -m tcp -d 10.4.0.1 --dport 80 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i eth0 -p tcp -m tcp -d 10.4.0.1 --dport 443 -j MARK --set-mark 0x1
$IPTABLES -t mangle -A PREROUTING -i eth0 -p tcp -m tcp -d 10.4.0.1 --dport 443 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i eth0 -d 10.4.0.1 -j MARK --set-mark 0x2
$IPTABLES -t mangle -A PREROUTING -i eth0 -d 10.4.0.1 -j ACCEPT

Vantages:
- I do not need to open services how happens when the accept rules are created in the filter input.
- Previous rules did not have their marks overwritten by the last one how is exposed in the example.

Discussion

  • Niumar
    Niumar
    2011-12-20

     
    Attachments