Ask Your Question
0

Where is the iptables MARK location in my case?

asked 2022-04-09 10:17:47 +0000

markleo gravatar image

updated 2022-04-09 10:27:44 +0000

In my Server, I emptied all the iptables rules, and then add below rule:

iptables -t mangle -N DIVERT  
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables -t mangle -A DIVERT -j MARK --set-mark 1  
iptables -t mangle -A DIVERT -j ACCEPT

I can check it:

[root@localhost go-tproxy]# iptables -n -L  -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DIVERT     tcp  --  0.0.0.0/0            0.0.0.0/0            socket

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain DIVERT (1 references)
target     prot opt source               destination         
MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK set 0x1
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

You see the MARK set 0x1 tag in rules, and then I useping www.demo.comand `curl -vo 1 'https://google.com' to test the data. and I capture the packages by wireshark, you can check: https://github.com/moonshineBoy/paste...

I didn't find the location of the MARK set 0x1 in capture-https.pcapng, please tell me where is the MARK location.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2022-04-09 15:05:43 +0000

Chuckc gravatar image

The iptables and netfilter documentation have a lot about how to use marks but not how they are implemented.
External articles say that they are virtual (in the kernel) and never reach an interface where Wireshark can see them.

How --set-mark option works on Netfilter (IPTABLES)?

It's only purely virtual and internal, as it can have no existence on the wire.

A Deep Dive into Iptables and Netfilter Architecture

This table can also place an internal kernel “mark” on the packet for further processing in other tables and by other networking tools. This mark does not touch the actual packet, but adds the mark to the kernel’s representation of the packet.

edit flag offensive delete link more

Comments

then how can kernel identify the actual packet? so the mark in kernel can correspond the actual packet.

markleo gravatar imagemarkleo ( 2022-04-10 05:43:20 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-04-09 10:17:47 +0000

Seen: 734 times

Last updated: Apr 09 '22

Related questions

How can I remove my ask.wireshark.org account?

The capture option wifi doesn't appear

What is wrong with the DNS in PCAP?

My Wireshark shows regardless of how much I use the Internet that I do not use Wifi

Analysing pcap

Get IP/host informations of an app.

How could I potentially export the actual binary file from a POST request?

NBIOT wireshark support for RRC connection setup

Does this site support pre-moderation?

How to get all the domains which use DNS query?