Re: [Fwbuilder-discussion] Forward in mangle table
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] Forward in mangle table
|
From: Vadim K. <va...@vk...> - 2010-04-25 02:02:27
|
2010/4/23 Vadim Kurland <va...@vk...>: > 2010/4/23 Niumar André Klein <ni...@so...>: >> Hi Vadim! >> >> Sorry for the delay to reply. >> >> The rule, in iptables notation, that I need: >> >> iptables -t mangle -A FORWARD -i eth0 -o eth1 -p tcp --dport 2211 -j >> MARK --set-mark 0x10 >> >> Knowing the in and out interfaces is necessary to me. I know that I can >> use branch rules, but the problem is that the packet that I want to >> filter only appears with two defined interfaces in the forward chain >> (mangle table). The packet, when it goes through the chains prerouting, >> postrouting or output has only one of the interfaces defined (logs show >> me this). So, I don't found a way to create a rule in fwbuider notation >> that generates a rule in the forward chain (using and not using branch). > > this can be done, but not in a single rule. > > here is how it _should_ work: > > first, you create a policy rule with "any" in source and destination > and tcp service for the port 2211 in "service". In this rule you match > interface eth0, direction inbound, and use action "Branch". You then > create another policy rule set with any name and make the branching > rule branch to it. Open the "Branch" action in the editor and drag new > policy rule set object into it. Also check the checkbox to make it > branch in the mangle table as well. In the new rule set you add a rule > with "any" in source, destination and service, matching interface eth1 > with direction outbound and action Tag. Open the action in the editor > and drag Tag service object into it. > > unfortunately this does not quite work at this time. It creates branch > in PREROUTING and POSTROUTING chains in the mangle table but not in > the FORWARD chain. I'll fix this and send another email to this thread > when it is done. this is fixed and these rules work as I described above in build 2834 --vk > >> >> About the rule with restore-mark, I read on the fwbuilder help that when >> you select "Mark connections created by packets that matches this >> rule" (on a rule with tag service object for action) fwbuilder creates >> an automatic restore-mark rule (in the prerouting chain) on top of the >> policy. >> >> Fwbuilder creates: >> $IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark >> >> I need: >> $IPTABLES -t mangle -A PREROUTING -i eth0 -j CONNMARK --restore-mark >> >> I tested better the action "custom" and I saw that is possible and >> simple to create the rule that I want. >> >> I hope you understood me. :) >> >> Thanks! >> >> Niumar >> >> -- >> Engº Niumar André Klein >> Analista de rede/servidores >> SOLIS - Cooperativa de Soluções Livres >> www.solis.coop.br >> >> >> Em Sáb, 2010-04-17 às 07:55 -0700, Vadim Kurland escreveu: >>> I am on vacation right now and my Internet connection is intermittent, >>> so I can not look at the code to check. However I believe you can get >>> rule in the mangle table and forward chain. How does the rule you have >>> tried look like? >>> >>> Note that fwbuilder can't generate rule with both -I and -o at the >>> same time. If you need to match two interfaces, use branch. >>> >>> I don't understand the question about rue with restore-mark, but if >>> you want to build a rule like this yourself, you can use custom >>> action. I don't remember if custom actions were supported in 3.0 but >>> they are definitely supported in fwbuilder 4 beta. >>> >>> --vk >>> >>> On Friday, April 16, 2010, Niumar André Klein <ni...@so...> wrote: >>> > Hi all! >>> > >>> > I am trying to create a rule that should go to the mangle - forward >>> > table. I tried a lot of situations, but the results were only rules in >>> > the mangle - prerouting, postrouting and output tables. This for >>> > Fwbuilder version 3.0.8 (build 1977). >>> > >>> > I need forward because is necessary to me mark traffic going in and >>> > out on two specific interfaces. Debugging iptables tables the only >>> > table >>> > that allow me to specify the two interfaces is in the forward table and >>> > that should be right. >>> > >>> > Another problem that I saw was that fwbuilder generates an automatic >>> > rule for restore-mark when is used the connmark module to save marks. >>> > So, is there a way to let me build a rule with restore- >>> > mark? >>> > >>> > A suggestion: allow to create rules with action custom in the mangle >>> > table. >>> > >>> > Regards, >>> > Niumar >>> > >>> > >>> > -- >>> > Engº Niumar André Klein >>> > Analista de rede/servidores >>> > SOLIS - Cooperativa de Soluções Livres >>> > www.solis.coop.br >>> > >>> > >>> > >> > |