| firehol-connmark(5) | 3.1.7 | firehol-connmark(5) |
NAME¶
firehol-connmark - set a stateful mark from the connmark group
SYNOPSIS¶
{ connmark | connmark46 } value chain rule-params
connmark4 value chain rule-params
connmark6 value chain rule-params
DESCRIPTION¶
Marks on packets can be matched by traffic shaping, routing, and firewall rules for controlling traffic.
Note Behaviour changed significantly in FireHOL v3 compared to earlier versions
FireHOL uses iptables masks to break the single 32-bit integer mark value into smaller groups and allows you to set and match them independently. The markdef group definitions to set this up are found in firehol-defaults.conf
The connmark helper command sets values within the connmark group. You can set value between 0 (no mark) and size-1. The default size for connmark is 64, so 63 is highest value possible. The default connmark types are stateful+permanent, meaning the initial match will only be done on NEW packets and the mark will be restored to all packets in the connection.
The chain will be used to find traffic to mark. It can be any of the iptables(8) built in chains belonging to the mangle table. The chain names are: INPUT, FORWARD, OUTPUT, PREROUTING and POSTROUTING. The names are case-sensitive.
The rule-params define a set of rule parameters to match the traffic that is to be marked within the chosen chain. See firehol-params(5) for more details.
Any connmark commands must be declared before the first router or interface.
Note
If you want to do policy based routing based on iptables(8) marks, you will need to disable the Root Path Filtering on the interfaces involved (rp_filter in sysctl).
FireQOS will read the FireHOL mark definitions and set up suitable offsets and marks for the various groups. If you are using a different tool, you should look at the emitted firewall to determine the final masks and values to use.
EXAMPLES¶
-
# mark with 1, packets sent by the local machine connmark 1 OUTPUT # mark with 2, packets routed by the local machine connmark 2 FORWARD # mark with 3, packets routed by the local machine, sent from # 192.0.2.2 destined for port TCP/25 of 198.51.100.1 connmark 3 FORWARD proto tcp dport 25 dst 198.51.100.1 src 192.0.2.2
SEE ALSO¶
- •
- firehol(1) - FireHOL program
- •
- firehol.conf(5) - FireHOL configuration
- •
- firehol-params(5) - optional rule parameters
- •
- [firehol-mark(5)][keyword-firehol-mark] - set a stateful mark from the usermark group
- •
- iptables(8) (http://ipset.netfilter.org/iptables.man.html) - administration tool for IPv4 firewalls
- •
- ip6tables(8) (http://ipset.netfilter.org/ip6tables.man.html) - administration tool for IPv6 firewalls
- •
- ip(8) - show / manipulate routing, devices, policy routing and tunnels
- •
- FireHOL Website (http://firehol.org/)
- •
- Working With Marks Wiki Page (https://github.com/firehol/firehol/wiki/Working-with-MARKs)
- •
- FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf)
- •
- FireHOL Online Documentation (http://firehol.org/documentation/)
- •
- Linux Advanced Routing & Traffic Control HOWTO (http://lartc.org/howto/) is variable includes all the IP addresses defined by IANA (http://www.iana.org/) as reserved.
You can override the default values by creating a file called /etc/firehol/RESERVED_IPS.
Now that IPv4 address space has all been allocated there is very little reason that this value will need to change in future.
- MULTICAST_IPS
- This variable includes all the IP addresses defined as Multicast by RFC 3330 (https://tools.ietf.org/html/rfc3330).
You can override the default values by creating a file called /etc/firehol/MULTICAST_IPS.
ADDING SERVICES¶
To define new services you add the appropriate lines before using them later in the configuration file.
The following are required:
server_myservice_ports="proto/sports"
client_myservice_ports="cports"
proto is anything iptables(8) accepts e.g. "tcp", "udp", "icmp", including numeric protocol values.
sports is the ports the server is listening at. It is a space-separated list of port numbers, names and ranges (from:to). The keyword any will match any server port.
cports is the ports the client may use to initiate a connection. It is a space-separated list of port numbers, names and ranges (from:to). The keyword any will match any client port. The keyword default will match default client ports. For the local machine (e.g. a client within an interface) it resolves to sysctl(8) variable net.ipv4.ip_local_port_range (or /proc/sys/net/ipv4/ip_local_port_range). For a remote machine (e.g. a client within an interface or anything in a router) it resolves to the variable DEFAULT_CLIENT_PORTS (see firehol-defaults.conf(5)).
The following are optional:
require_myservice_modules="modules"
require_myservice_nat_modules="nat-modules"
The named kernel modules will be loaded when the definition is used. The NAT modules will only be loaded if FIREHOL_NAT is non-zero (see firehol-defaults.conf(5)).
For example, for a service named daftnet that listens at two ports, port 1234 TCP and 1234 UDP where the expected client ports are the default random ports a system may choose, plus the same port numbers the server listens at, with further dynamic ports requiring kernel modules to be loaded:
-
# Setup service server_daftnet_ports="tcp/1234 udp/1234" client_daftnet_ports="default 1234" require_daftnet_modules="ip_conntrack_daftnet" require_daftnet_nat_modules="ip_nat_daftnet interface eth0 lan0 server daftnet accept interface eth1 lan1 client daftnet reject router lan2lan inface eth0 outface eth1 route daftnet accept
Where multiple ports are provides (as per the example), FireHOL simply determines all of the combinations of client and server ports and generates multiple iptables(8) statements to match them.
To create more complex rules, or stateless rules, you will need to create a bash function prefixed rules_ e.g. rules_myservice. The best reference is the many such functions in the main firehol(1) script.
When adding a service which uses modules, or via a custom function, you may also wish to include the following:
ALL_SHOULD_ALSO_RUN="${ALL_SHOULD_ALSO_RUN} myservice"
which will ensure your service is set-up correctly as part of the all service.
Note
To allow definitions to be shared you can instead create files and install them in the /etc/firehol/services directory with a .conf extension.
The first line must read:
-
#FHVER: 1:213
1 is the service definition API version. It will be changed if the API is ever modified. The 213 originally referred to a FireHOL 1.x minor version but is no longer checked.
FireHOL will refuse to run if the API version does not match the expected one.
DEFINITIONS¶
- •
- firehol-interface(5) - interface definition
- •
- firehol-router(5) - router definition
SUBCOMMANDS¶
- •
- firehol-policy(5) - policy command
- •
- firehol-protection(5) - protection command
- •
- firehol-server(5) - server, route commands
- •
- firehol-client(5) - client command
- •
- firehol-group(5) - group command
HELPER COMMANDS¶
These helpers can be used in interface and router definitions as well as before them:
- •
- firehol-iptables(5) - iptables helper
- •
- firehol-masquerade(5) - masquerade helper
This helper can be used in router definitions as well as before any router or interface:
- •
- firehol-tcpmss(5) - tcpmss helper
CONFIGURATION HELPER COMMANDS¶
These helpers should only be used outside of interface and router definitions (i.e. before the first interface is defined).
- •
- firehol-version(5) - version config helper
- •
- firehol-action(5) - action config helper
- •
- firehol-blacklist(5) - blacklist config helper
- •
- firehol-classify(5) - classify config helper
- •
- firehol-connmark(5) - connmark config helper
- •
- firehol-dscp(5) - dscp config helper
- •
- firehol-mac(5) - mac config helper
- •
- firehol-mark(5) - mark config helper
- •
- firehol-nat(5) - nat, snat, dnat, redirect helpers
- •
- firehol-proxy(5) - transparent proxy/squid helpers
- •
- firehol-tos(5) - tos config helper
- •
- firehol-tosfix(5) - tosfix config helper
SEE ALSO¶
- •
- firehol(1) - FireHOL program
- •
- firehol-defaults.conf(5) - control variables
- •
- firehol-services(5) - services list
- •
- firehol-actions(5) - actions for rules
- •
- FireHOL Website (http://firehol.org/)
- •
- FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf)
- •
- FireHOL Online Documentation (http://firehol.org/documentation/)
AUTHORS¶
FireHOL Team.
| Built 31 Dec 2020 | FireHOL Reference |