First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Where is the iptables MARK location in my case?

In my Server, I emptied all the iptables rules, and then add below rule:

iptables -t mangle -N DIVERT  
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables -t mangle -A DIVERT -j MARK --set-mark 1  
iptables -t mangle -A DIVERT -j ACCEPT

I can check it:

[root@localhost go-tproxy]# iptables -n -L  -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DIVERT     tcp  --  0.0.0.0/0            0.0.0.0/0            socket

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain DIVERT (1 references)
target     prot opt source               destination         
MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK set 0x1
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

You see the MARK set 0x1 tag in rules, and then I useping www.demo.comand `curl -vo 1 'https://google.com' to test the data. and I capture the packages by wireshark, you can check: https://github.com/moonshineBoy/paste...

I didn't find the location of the MARK set 0x1 in capture-https.pcapng, please tell me where is the MARK location.

markleo's avatar
7
markleo
asked 2022-04-09 10:17:47 +0000, updated 2022-04-09 10:27:44 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

The iptables and netfilter documentation have a lot about how to use marks but not how they are implemented.
External articles say that they are virtual (in the kernel) and never reach an interface where Wireshark can see them.

How --set-mark option works on Netfilter (IPTABLES)?

It's only purely virtual and internal, as it can have no existence on the wire.

A Deep Dive into Iptables and Netfilter Architecture

This table can also place an internal kernel “mark” on the packet for further processing in other tables and by other networking tools. This mark does not touch the actual packet, but adds the mark to the kernel’s representation of the packet.

Chuckc's avatar
3k
Chuckc
answered 2022-04-09 15:05:43 +0000
edit flag offensive 0 remove flag delete link
more

Comments

then how can kernel identify the actual packet? so the mark in kernel can correspond the actual packet.

markleo's avatar markleo (2022-04-10 05:43:20 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer