1
Linux iptables includes that ability to mark individual network packets
2
with a "firewall mark". Additionally there is a component called
3
"conntrack" which tries to string sequences of related packets together
4
into a "connection" (it even relates sequences of UDP and ICMP packets).
5
There is a related mark for a connection called a "connection mark".
6
Marks can be copied freely between the firewall and connection marks
8
Using these two features it become possible to tag all related traffic
9
in arbitrary ways, eg authenticated users, traffic from a particular IP,
10
port, etc. Unfortunately any kind of "proxy" breaks this relationship
11
because network packets go in one side of the proxy and a completely new
12
connection comes out of the other side. However, sometimes, we want to
13
maintain that relationship through the proxy and continue the connection
14
mark on packets upstream of our proxy
16
DNSMasq includes such a feature enabled by the --conntrack
17
option. This allows, for example, using iptables to mark traffic from
18
a particular IP, and that mark to be persisted to requests made *by*
19
DNSMasq. Such a feature could be useful for bandwidth accounting,
20
captive portals and the like. Note a similar feature has been
21
implemented in Squid 2.2
24
As an example consider the following iptables rules:
27
1) iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
28
2) iptables -t mangle -A PREROUTING -m mark --mark 0 -s 192.168.111.137
29
-j MARK --set-mark 137
30
3) iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
32
4) iptables -t mangle -A OUTPUT -m mark ! --mark 0 -j CONNMARK --save-mark
34
1-3) are all applied to the PREROUTING table and affect all packets
35
entering the firewall.
37
1) copies any existing connection mark into the firewall mark. 2) Checks
38
the packet not already marked and if not applies an arbitrary mark based
39
on IP address. 3) Saves the firewall mark back to the connection mark
40
(which will persist it across related packets)
42
4) is applied to the OUTPUT table, which is where we first see packets
43
generated locally. DNSMasq will have already copied the firewall mark
44
from the request, across to the new packet, and so all that remains is
45
for iptables to copy it to the connection mark so it's persisted across
48
Note: iptables can be quite confusing to the beginner. The following
49
diagram is extremely helpful in understanding the flows
50
http://linux-ip.net/nf/nfk-traversal.png
51
Additionally the following URL contains a useful "starting guide" on
52
linux connection tracking/marking
53
http://home.regit.org/netfilter-en/netfilter-connmark/