Ask Your Question
0

Where is the iptables MARK location in my case?

asked 2022-04-09 10:17:47 +0000

markleo gravatar image

updated 2022-04-09 10:27:44 +0000

In my Server, I emptied all the iptables rules, and then add below rule:

iptables -t mangle -N DIVERT  
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables -t mangle -A DIVERT -j MARK --set-mark 1  
iptables -t mangle -A DIVERT -j ACCEPT

I can check it:

[[email protected] go-tproxy]# iptables -n -L  -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DIVERT     tcp  --  0.0.0.0/0            0.0.0.0/0            socket

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain DIVERT (1 references)
target     prot opt source               destination         
MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK set 0x1
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

You see the MARK set 0x1 tag in rules, and then I useping www.demo.comand `curl -vo 1 'https://google.com' to test the data. and I capture the packages by wireshark, you can check: https://github.com/moonshineBoy/paste...

I didn't find the location of the MARK set 0x1 in capture-https.pcapng, please tell me where is the MARK location.

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2022-04-09 15:05:43 +0000

Chuckc gravatar image

The iptables and netfilter documentation have a lot about how to use marks but not how they are implemented.
External articles say that they are virtual (in the kernel) and never reach an interface where Wireshark can see them.

How --set-mark option works on Netfilter (IPTABLES)?

It's only purely virtual and internal, as it can have no existence on the wire.

A Deep Dive into Iptables and Netfilter Architecture

This table can also place an internal kernel “mark” on the packet for further processing in other tables and by other networking tools. This mark does not touch the actual packet, but adds the mark to the kernel’s representation of the packet.

edit flag offensive delete link more

Comments

then how can kernel identify the actual packet? so the mark in kernel can correspond the actual packet.

markleo gravatar imagemarkleo ( 2022-04-10 05:43:20 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-04-09 10:17:47 +0000

Seen: 48 times

Last updated: Apr 09