14.2.16. Tagging Packets

Tagging packets (or packet marking) can be a very useful option that allows you to match a packet at one point in the rule set but act on it later on. This option can be combined with rule actions or rule branching for even more flexibility. Tagging can also be used to interact with packet processing not intended to enforce security policies, such as traffic shaping or QoS. Packet tags assigned by iptables can later be used for traffic shaping with the Linux utility "tc".

Not every target platform supports packet tagging; see Section 7.2.7 for details on platform support for tagging.

In Firewall Builder, packet tagging is accomplished using a special service object type called TagService. First, you create a TagService object, specifying a tag number or a string. To use this object to match tagged packets, just drop the object into the Service rule element in a policy rule. To mark a packet with the tag, select the Tag option from the Options context menu and drop the TagService object into the well in the Options dialog. Let's use an example given in the "A Practical Guide to Linux Traffic Control" (http://blog.edseek.com/~jasonb/articles/traffic_shaping/index.shtml) to illustrate this. They show how packets can be tagged using iptables target "MARK" so that they can be placed in the right queue for traffic shaping later on. The iptables rule we will create looks like this:

iptables -t mangle -A POSTROUTING -o eth2 -p tcp --sport 80 -j MARK --set-mark 1

Note how the rule should be placed in the table "mangle", chain "POSTROUTING". This is how the target MARK works; the administrator is expected to know this if they write iptables rules by hand.

We start with a tag service object configured with tag "1":

Figure 14.40. Simple TagService Object

Simple TagService Object

We also need a TCP service object to match source port 80:

Figure 14.41. TCP Service to Match Source Port 80

TCP Service to Match Source Port 80

And now the rule:

Figure 14.42. Rule Matching the Tag Service

Rule Matching the Tag Service

In order to replicate the rule from the Guide, I leave Source and Destination "any", put outside interface of the firewall in "Interface" column, set direction to "Outbound", set action to "Tag" and make it stateless. The following screenshots demonstrate how this is done:

Figure 14.43. Configuring the Tag Action

Configuring the Tag Action

Figure 14.44. Configuring Rule Options to Make the Rule Stateless

Configuring Rule Options to Make the Rule Stateless

This configuration makes Firewall Builder generate an iptables command that is exactly the same as the one given in "A Practical Guide to Linux Traffic Control."

The rule, reproduced from the Guide, is stateless and matches and tags every reply HTTP packet crossing the firewall. This is not very efficient in case the firewall has to forward heavy HTTP traffic because it has to work on every single packet. To make things more efficient, iptables can mark whole sessions which means individual packets can be marked automatically as long as they belong to the session that was marked once. To use this feature with Firewall Builder, turn on the checkbox "Mark connections created by packets that match this rule" in the dialog Figure 14.43, where you configure options for the rule action and where the well into which you had to drop the tag service object is located. This checkbox modifies generated iptables script by adding a call to CONNMARK iptables target that marks whole connection and also by adding the following rule on top of the script:

# ================ Table 'mangle', automatic rules
$IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark

This rule automatically restores mark on the packets that belong to the marked session.


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.