2

I have a host, on which I rewrite saddr and daddr of IP packets coming to it, this is done by the program, employing libnetfilter_queue. Basically it acts like proxy. For example, the packet comes from 10.0.0.2 destined to this host (IPhost), we rewrite this packet to come from IPhost to eg. google.com. I want to use conntrack to mark the reply packet google.com→IPhost to go to the same queue to be rewritten and be sent back to 10.0.0.2.

I use two PREROUTING rules:

iptables -tmangle -A PREROUTING -p tcp -s 10.0.0.2 -j CONNMARK --set-mark 0x10
iptables -tmangle -A PREROUTING -m connmark --mark 0x10 -j NFQUEUE

But the reply packets don't have this ctmark, and i see only packet 10.0.0.2→IPhost in conntrack program output.

So the question is whether it is possible to do like that? Or do I not understand what CONNMARK does? I fancy it should set this mark on everything related to the connection, including reply packets.

Improve this question

1 Answer 1

Reset to default
0

Close. CONNMARK doesn't do anything to the packets - it just stashes a marking in the conntrack table with that session's entry. That connmark is meant to be used later with "--restore-mark" which is required to have a packet "inherit" the mark that was assigned to its connection.

This might break based on your rewriting of the packet in userspace. restore-mark might not associate the outgoing packet with the conntrack entry that was created using the original src/dst.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .