Where to mark packets in iptables if you need to mask the response after SNAT and filter by source IP (before SNAT)?

Y

Yagoda1232013-12-11 19:45:06

linux

Yagoda123, 2013-12-11 19:45:06

Please help, I've already broken my head.
Scheme: gray internal IPs are spanned by an external range.
It is required by some condition (protocol, source port, internal IP) to send the response to another routing table.
It seems that everything is simple - I create the desired route table, create a rule fwmark with the desired label, do -j MARK in mangle/PREROUTING.
Everything works great for internal white (that don't span) IPs. But for gray IP, the scheme does not work.
As I understand it, there was no reverse NAT translation in the mangle/PREROUTING yet, and the destination address is an external range.
I try to process in mangle/FORWARD - there is no reaction. Most likely, the routing decision has already been made and rule does not work.
Maybe someone will have ideas how to razrulit? Or will someone tell you the order of passing the answer to SNAT?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

E

EvilMan, 2013-12-17
@Yagoda123

If you need to select packets by original addresses (before translation), then you can use the conntrack match module.
A summary of the options for this mapping (can be viewed with iptables -m conntrack --help as for all other types of mappings):

[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]
                               State(s) to match
[!] --ctproto proto            Protocol to match; by number or name, e.g. "tcp"
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask]
                               Original/Reply source/destination address
[!] --ctorigsrcport port
[!] --ctorigdstport port
[!] --ctreplsrcport port
[!] --ctrepldstport port
                               TCP/UDP/SCTP orig./reply source/destination port
[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]
                               Status(es) to match
[!] --ctexpire time[:time]     Match remaining lifetime in seconds against
                               value or range of values (inclusive)
    --ctdir {ORIGINAL|REPLY}   Flow direction of packet

But marking after SNAT will not work, since nat is executed in nat/POSTROUTING already AFTER mangle/POSTROUTING ( diagram of packets passing through Netfilter ). In this case, the routing decision is made before SNAT, it is already incorrect to try to route packets to another table after SNAT. Can you elaborate on the diagram?

G

Gasoid, 2013-12-11
@Gasoid

mangle/postrouting, in theory, packets go there later nat/postrouting

G

German Sukhachev, 2013-12-12
@g3fox

Perhaps CONNMARK will help you somehow.

Y

Yagoda123, 2013-12-18
@Yagoda123

It requires certain traffic (protocol, port, client IP) to pass through ... well, let's say a special analyzer on another host connected to the gateway.
Accordingly, the response must go through this additional node.
From the client is simple. But there were problems with the answer.
Thanks, the --ctorigsrc rule (just the client's source address before SNAT) of the conntrack module helped when processing the response in mangle/PREROUTING. Well, an additional condition on --ctstate SNAT.