Find the answer to your Linux question:
Results 1 to 4 of 4
I'm a iptables n00b i'm trying to take advantage of connmark for bypassing rules for already established and related connections ( duh!!! ) i'm using only filter table... and also ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2011
    Posts
    2

    using iptables CONNMARK match and target


    I'm a iptables n00b

    i'm trying to take advantage of connmark for bypassing rules for already established and related connections ( duh!!! )

    i'm using only filter table... and also i'm not using "MARK" (or iproute to set any packet mark)

    here is my sample table looks like

    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [24:1636]
    :cmchain - [0:0]
    :mychain - [0:0]
    :outchain - [0:0]
    -A INPUT -m connmark ! --mark 0x0 -j ACCEPT
    -A INPUT -j mychain
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j cmchain
    -A OUTPUT -m connmark ! --mark 0x0 -j ACCEPT
    -A OUTPUT -j outchain
    -A cmchain -j CONNMARK --set-xmark 0x1/0xffffffff
    -A cmchain -j ACCEPT
    COMMIT


    mychain contains inbound rules, while outchain contains outbound rules

    in order to bypass mychain and outchain.... i've added "connmark" match prior to check connection mark... however i'm not getting desired results...

    plz help in understanding where i'm going wrong
    TIA

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Not sure why you are making this so hard. ESTABLISHED and RELATED look in thier connection tracking BD and if it is there they do what ever the '-j' tells them to do.

    So the first rull in your INPUT chain should be;
    Code:
    iptables -INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    This will match all established connection and thus accept the incoming packets and bypass all other rules for incoming packets.

    Take a look at this TUTORIAL for how things work.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Feb 2011
    Posts
    2
    i had tried this...
    reason for not doing it is... i want pkt to traverse the inbound chain at least once.
    so even with pkt belonging to established connection must go thro' inbound chain...

    after that marking is done...

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK, rules in iptables are read from top to bottom.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •