3

I was learning the ping command options. In that I found the -m option to set the mark for a packet.

The below command sends the packet with marking of 10 to the 192.168.2.65.

ping -m 10 192.168.2.65

Using the below command I can able to receive that packet in destination.

iptables -A INPUT -m mark --mark 0xa -j ACCEPT

But the above command does not receives the marked packet. The above iptables command returns nothing.

Note : We both are having the root permission.

Mat
  • 52,586
  • If you want to check that the packet is received, then one way would be to set up a rule to log those packets, then inspect the log file. – JBentley May 23 '16 at 10:18

2 Answers2

7

That mark is internal and not included anywhere in the packet or any of its headers.

That means it gets lost when doing the actual outbound connection, and wouldn't be visible in the INPUT table of the target server, but you would see it in the OUTPUT table of the initiating machine.

The point of supporting a mark in ping is to allow outbound routing rules.

Julie Pelletier
  • 7,622
  • In OUTPUT table also I am not able to see. I am executing the following command "iptables -A OUTPUT -m mark --mark 0xa -j ACCEPT" –  May 23 '16 at 04:51
  • I just tried that exact command and got the packets tracked on outbound. Are you looking at the wrong machine or the one that starts the ping? – Julie Pelletier May 23 '16 at 05:00
  • I am pinging from one system, and trying the iptables from the destination system. I got nothing in terminal output of iptables command. But in ping the packet is sending successfully and the reply packet is also receiving successfully. –  May 23 '16 at 05:02
  • 2
    Reread my answer. That mark is internal and not included in the packet It is not sent to the destination server. – Julie Pelletier May 23 '16 at 05:07
  • I also updated my answer for clarity. – Julie Pelletier May 23 '16 at 05:09
  • Please read this question in this question they said, we can able to receive the ping marked packets using iptables. http://unix.stackexchange.com/questions/281015/m-option-does-not-work-in-ping-command –  May 23 '16 at 05:15
  • 1
    Yes and it works. Your confusion comes from the fact that you refuse to understand that the mark is internal. It can only be used by the machine that placed the mark for outbound rules. – Julie Pelletier May 23 '16 at 05:20
  • I don't know what you are saying in outbound rules for the mark ? If marking is done, we can able to receive from iptables. is right or not ? –  May 23 '16 at 05:23
  • 3
    as @JuliePelletier has tried to tell you several times, the mark can only be detected on the originating machine (or, if the packet is marked by iptables on a router that the packet passes through, only by the machine that adds the mark). The mark is internal to the networking stack of that machine, and does not become an attribute of the ping packet itself (so can not be detected or acted upon on other machines). – cas May 23 '16 at 05:26
  • No. The other machine will never see that mark. An outbound rule would be done with iptables on the machine that starts the ping. – Julie Pelletier May 23 '16 at 05:27
  • How can I set the outbound rule to receive the ping marked packet from the iptables ? –  May 23 '16 at 05:40
  • You can not make rules for that on the remote (destination) server. You could only limit ping replies based on the machine's IP address. What problem are you trying to solve here? If you're worried about your users abusing the command, then perhaps a solution would be to make a wrapper script over the ping executable. – Julie Pelletier May 23 '16 at 05:50
  • If I am the destination, then how can I make the rule for the outbound ? –  May 23 '16 at 05:54
  • I need to experiment -m option in ping. Normally ping executes. Nothing changes in the ping output. So, using iptables, I am checking I am able to check the marking is done correctly or not. –  May 23 '16 at 05:56
  • 3
    The mark does not do what you want. Why did you want to use a mark? Answering this might bring you potential solutions. You're asking the wrong question. – Julie Pelletier May 23 '16 at 05:56
  • I didn't ask the wrong question ? In that question they said, using the iptables we can able to receive the ping marked packet in destination. I want to experiment that. But the iptables outputs nothing in terminal. So, how can I receive the ping marked packet using iptables command. –  May 23 '16 at 06:10
  • 2
    The mark is only visible on the machine it gets set. It is not possible to see that mark on the other machine. If you wish to address a specific problem, please mention it. Otherwise, find something more useful to do as the ping's mark option does not do what you want. – Julie Pelletier May 23 '16 at 06:55
  • 1
    also, iptables doesn't output anything to the terminal (except errors if you've made a mistake with its arguments and options). It sets packet filtering and logging rules in the kernel. – cas May 23 '16 at 08:54
4

@Julie Pelletier's answer is 100% correct, but probably not very understandable to you.

First, as mentioned several times in the comments, the mark is not put into the ethernet packet on the wire. So if you ping server B from server A, server B will not ever be able to detect the mark. If you want to do anything, you'll have to use server A alone. So, you'll have to insert/append a rule to the OUTPUT chain of the sender to see anything.

Now, let's see how to use iptables. First, we want to see which rules are active in OUTPUT:

root@roran:~# iptables -L OUTPUT -n -v
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                           
root@roran:~#

Ok, no rules. Let's define a rule:

root@roran:~# iptables -I OUTPUT -m mark --mark 0xa -j ACCEPT
root@roran:~#

As you see, no output. But the kernel table has an entry now:

root@roran:~# iptables -L OUTPUT -n -v
Chain OUTPUT (policy ACCEPT 177 packets, 120K bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  mark match 0xa
root@roran:~#

The columns "pkts" and "bytes" are both 0, as no packets have gone out yet. Now, ping a different server, without setting a mark:

root@roran:~# ping -c 1 bermuda
PING bermuda (192.168.178.2) 56(84) bytes of data.
64 bytes from bermuda (192.168.178.2): icmp_seq=1 ttl=64 time=0.331 ms
[... some more lines omitted]

After that, the kernel table still hasn't matched anything:

root@roran:~# iptables -L OUTPUT -n -v
Chain OUTPUT (policy ACCEPT 348 packets, 160K bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  mark match 0xa
root@roran:~#

Next, try pinging with a mark set:

root@roran:~# ping -m 10 -c 1 bermuda
PING bermuda (192.168.178.2) 56(84) bytes of data.
64 bytes from bermuda (192.168.178.2): icmp_seq=1 ttl=64 time=0.324 ms
[... some more lines omitted]

and look at the table again:

root@roran:~# iptables -L OUTPUT -n -v
Chain OUTPUT (policy ACCEPT 631 packets, 319K bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                           
    1    84 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  mark match 0xa
root@roran:~#

Now, the rule has found one packet, which had 84 bytes.

If you want to experiment, after this, do iptables -F OUTPUT to clear the table; iptables -I OUTPUT -m mark --mark 0x0a -j REJECT to prevent marked packets from going out of your machine, then ping the other machine with and without mark. You'll see the marked packets not getting a reply, now, as the rule drops them.

Guntram Blohm
  • 534