l7-filter does not mark any package

Wed, 04 Aug 2010 20:35:16 -0700 

Hi, I can send packets from the mangle chain to l7-filter, but
analyzing packets in output on the filter chain you can see packets
had not been marked.

l7-filter loads all the patterns flawlessly and does not give any error.



### POLICY ###
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -t mangle -A FORWARD -i ppp0 -o eth1 -j NFQUEUE --queue-num 1
iptables -t mangle -A FORWARD -i eth1 -o ppp0 -j NFQUEUE --queue-num 1

# CHAIN #
iptables -N INtoOUT
iptables -N OUTtoIN
iptables -N INTERNETWORK

# FORWARD to CHAIN #
iptables -A FORWARD -i ppp0 -j OUTtoIN
iptables -A FORWARD -o ppp0 -j INtoOUT
iptables -A FORWARD -j DROP


iptables -A OUTtoIN -o eth1 -m mark --mark 4 -j ACCEPT
iptables -A OUTtoIN -o eth1 -p udp --dport 5060 -m mark --mark 7 -j ACCEPT
iptables -A OUTtoIN -o eth1 -p udp --dport 10000:20000 -m mark --mark
8 -j ACCEPT
iptables -A OUTtoIN -o eth1 -m mark --mark 5 -j ACCEPT
iptables -A OUTtoIN -j DROP

iptables -A INtoOUT -i eth1 -m mark --mark 3 -j ACCEPT
iptables -A INtoOUT -i eth1 -m mark --mark 4 -j ACCEPT
iptables -A INtoOUT -i eth1 -m mark --mark 5 -j ACCEPT
iptables -A INtoOUT -i eth1 -m mark --mark 6 -j ACCEPT
iptables -A INtoOUT -i eth1 -m mark --mark 7 -j ACCEPT
iptables -A INtoOUT -i eth1 -m mark --mark 8 -j ACCEPT
iptables -A INtoOUT -i eth1 -j LOG --log-prefix "DROP!!! "
iptables -A INtoOUT -j DROP



# l7-filter -f /etc/l7-protocols/l7filter.conf -q 1 -vv -p
/etc/l7-protocols/protocols/
Attempting to read configuration from /etc/l7-protocols/l7filter.conf.metano
Attempting to load pattern from /etc/l7-protocols/protocols///imap.pat
pattern='^(\* ok|a[0-9]+ noop)'
eflags=0 cflags=11
Added: imap     mark=3
Attempting to load pattern from /etc/l7-protocols/protocols///pop3.pat
pattern='^(\+ok |-err )'
eflags=0 cflags=11
Added: pop3     mark=3
Attempting to load pattern from /etc/l7-protocols/protocols///smtp.pat
pattern='^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail)'
eflags=0 cflags=9
Added: smtp     mark=3
Attempting to load pattern from /etc/l7-protocols/protocols///http.pat
pattern='http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d
-~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d
-~]* http/[01]\.[019]'
eflags=0 cflags=11
Added: http     mark=4
Attempting to load pattern from /etc/l7-protocols/protocols///ftp.pat
pattern='^220[\x09-\x0d -~]*ftp'
eflags=0 cflags=11
Added: ftp      mark=4
Attempting to load pattern from /etc/l7-protocols/protocols///dns.pat
pattern='^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][fglmoprstuvz]?[aeop]?(um)?[\x01-\x10\x1c][\x01\x03\x04\xFF]'
eflags=0 cflags=11
Added: dns      mark=5
Attempting to load pattern from /etc/l7-protocols/protocols///vnc.pat
pattern='^rfb 00[1-9]\.00[0-9]\x0a$'
eflags=0 cflags=11
Added: vnc      mark=6
Attempting to load pattern from /etc/l7-protocols/protocols///sip.pat
pattern='^(invite|register|cancel|message|subscribe|notify)
sip[\x09-\x0d -~]*sip/[0-2]\.[0-9]'
eflags=0 cflags=11
Added: sip      mark=7
Attempting to load pattern from /etc/l7-protocols/protocols///rtp.pat
pattern='^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80'
eflags=0 cflags=11
Added: rtp      mark=8
Made key from ct:       udp      17 src=192.168.2.3 dst=151.99.125.2
sport=33765 dport=53
Made key from ct:       udp      17 src=192.168.2.3 dst=151.99.125.2
sport=45219 dport=53
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5061 dport=5060
Got packet, had no ct:  udp      17 src=192.168.1.159 dst=151.99.250.2
sport=53310 dport=53
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=8.8.8.8
sport=58489 dport=53
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=8.8.8.8
sport=39654 dport=53
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5061 dport=5060
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=8.8.8.8
sport=46075 dport=53
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=8.8.8.8
sport=56026 dport=53
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=8.8.8.8
sport=34057 dport=53
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=8.8.8.8
sport=52035 dport=53
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=8.8.8.8
sport=56459 dport=53
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=8.8.8.8
sport=34241 dport=53
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=8.8.8.8
sport=45604 dport=53
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5061 dport=5060
Got packet, had no ct:  udp      17 src=192.168.1.159 dst=151.99.125.2
sport=57961 dport=53
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=8.8.8.8
sport=58489 dport=53
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=8.8.8.8
sport=39654 dport=53
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5061 dport=5060
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5061 dport=5060
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5073 dport=5060
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5073 dport=5060
Got packet, had no ct:  udp      17 src=192.168.1.159 dst=151.99.250.2
sport=53310 dport=53
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5073 dport=5060
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5061 dport=5060
Made key from ct:       tcp      6 src=192.168.2.3 dst=62.70.27.118
sport=35755 dport=80
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5061 dport=5060
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5073 dport=5060
Made key from ct:       tcp      6 src=192.168.2.3 dst=62.70.27.118
sport=35732 dport=80
Made key from ct:       tcp      6 src=192.168.2.3 dst=62.70.27.118
sport=35733 dport=80
Got packet, had no ct:  udp      17 src=192.168.1.159 dst=151.99.125.2
sport=40446 dport=53
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5061 dport=5060
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=8.8.8.8
sport=58800 dport=53
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5073 dport=5060
Got packet, had no ct:  udp      17 src=192.168.1.233
dst=74.207.249.60 sport=123 dport=123
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=153.16.4.134
sport=123 dport=123
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5061 dport=5060
Got packet, had no ct:  udp      17 src=192.168.1.159 dst=151.99.250.2
sport=33801 dport=53
Got packet, had no ct:  udp      17 src=62.10.112.29 dst=192.168.1.159
sport=5073 dport=5060
Got packet, had no ct:  udp      17 src=192.168.1.233 dst=8.8.8.8
sport=58800 dport=53
Made key from ct:       tcp      6 src=192.168.2.3 dst=72.14.234.104
sport=32875 dport=80
Made key from ct:       tcp      6 src=192.168.2.3 dst=72.14.234.95
sport=60846 dport=80
Made key from ct:       tcp      6 src=192.168.2.3 dst=72.14.234.191
sport=44814 dport=80
Made key from ct:       tcp      6 src=192.168.2.3 dst=72.14.234.191
sport=44818 dport=80
Made key from ct:       tcp      6 src=192.168.2.3 dst=72.14.234.191
sport=44816 dport=80
Made key from ct:       tcp      6 src=192.168.2.3 dst=72.14.234.191
sport=44817 dport=80
Made key from ct:       tcp      6 src=192.168.2.3 dst=72.14.234.100
sport=51651 dport=80
Made key from ct:       tcp      6 src=192.168.2.3 dst=64.191.203.30
sport=54432 dport=80
Got packet, had no ct:  udp      17 src=192.168.1.204
dst=85.18.189.242 sport=123 dport=123



# tail -f /var/log/messages
Aug  5 03:23:06 xen-dom0 kernel: [116126.991650] DROP!!! IN=eth1
OUT=ppp0 SRC=192.168.1.233 DST=74.207.249.60 LEN=76 TOS=0x00 PREC=0xC0
TTL=63 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x1
Aug  5 03:23:06 xen-dom0 kernel: [116127.768316] DROP!!! IN=eth1
OUT=ppp0 SRC=192.168.1.159 DST=151.99.125.2 LEN=71 TOS=0x00 PREC=0x00
TTL=63 ID=13394 DF PROTO=UDP SPT=40703 DPT=53 LEN=51 MARK=0x1
Aug  5 03:23:11 xen-dom0 kernel: [116132.677311] DROP!!! IN=eth1
OUT=ppp0 SRC=192.168.1.159 DST=151.99.250.2 LEN=71 TOS=0x00 PREC=0x00
TTL=63 ID=14645 DF PROTO=UDP SPT=43358 DPT=53 LEN=51 MARK=0x1
Aug  5 03:23:15 xen-dom0 kernel: [116136.487151] DROP!!! IN=eth1
OUT=ppp0 SRC=192.168.1.233 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00
TTL=63 ID=14899 DF PROTO=UDP SPT=40872 DPT=53 LEN=40 MARK=0x1
Aug  5 03:23:15 xen-dom0 kernel: [116136.801616] DROP!!! IN=eth1
OUT=ppp0 SRC=192.168.1.233 DST=128.10.19.24 LEN=76 TOS=0x00 PREC=0xC0
TTL=63 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x1
Aug  5 03:23:16 xen-dom0 kernel: [116137.283845] DROP!!! IN=eth1
OUT=ppp0 SRC=192.168.1.204 DST=85.18.189.242 LEN=76 TOS=0x00 PREC=0x00
TTL=63 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x1
Aug  5 03:23:16 xen-dom0 kernel: [116137.586631] DROP!!! IN=eth1
OUT=ppp0 SRC=192.168.1.159 DST=151.99.125.2 LEN=61 TOS=0x00 PREC=0x00
TTL=63 ID=18397 DF PROTO=UDP SPT=40800 DPT=53 LEN=41 MARK=0x1
Aug  5 03:23:20 xen-dom0 kernel: [116141.485414] DROP!!! IN=eth1
OUT=ppp0 SRC=192.168.1.233 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00
TTL=63 ID=14900 DF PROTO=UDP SPT=40872 DPT=53 LEN=40 MARK=0x1
Aug  5 03:23:21 xen-dom0 kernel: [116142.495375] DROP!!! IN=eth1
OUT=ppp0 SRC=192.168.1.159 DST=151.99.250.2 LEN=61 TOS=0x00 PREC=0x00
TTL=63 ID=19648 DF PROTO=UDP SPT=54127 DPT=53 LEN=41 MARK=0x1


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlktikhd1cr_pxw6rv4arwzsyb-zd74oohacjcmv...@mail.gmail.com

Reply via email to