3

I was learning the ping command options. In that I found the -m option to set the mark for a packet.

The below command sends the packet with marking of 10 to the 192.168.2.65.

ping -m 10 192.168.2.65

Using the below command I can able to receive that packet in destination.

iptables -A INPUT -m mark --mark 0xa -j ACCEPT

But the above command does not receives the marked packet. The above iptables command returns nothing.

Note : We both are having the root permission.

Mat's user avatar
Mat
54.9k11 gold badges164 silver badges143 bronze badges
askedMay 23, 2016 at 4:36
1
  • If you want to check that the packet is received, then one way would be to set up a rule to log those packets, then inspect the log file.CommentedMay 23, 2016 at 10:18

2 Answers2

7

That mark is internal and not included anywhere in the packet or any of its headers.

That means it gets lost when doing the actual outbound connection, and wouldn't be visible in theINPUT table of the target server, but you would see it in theOUTPUT table of the initiating machine.

The point of supporting a mark in ping is to allow outbound routing rules.

answeredMay 23, 2016 at 4:45
Julie Pelletier's user avatar
18
  • 2
    Reread my answer.That mark is internal and not included in the packet It is not sent to the destination server.CommentedMay 23, 2016 at 5:07
  • 1
    Yes and it works. Your confusion comes from the fact that you refuse to understand that the mark is internal. It can only be used by the machine that placed the mark for outbound rules.CommentedMay 23, 2016 at 5:20
  • 3
    as @JuliePelletier has tried to tell you several times, the mark can only be detected on the originating machine (or, if the packet is marked by iptables on a router that the packet passes through, only by the machine that adds the mark). The mark is internal to the networking stack of that machine, and does not become an attribute of the ping packet itself (so can not be detected or acted upon on other machines).CommentedMay 23, 2016 at 5:26
  • 3
    Themark does not do what you want. Why did you want to use a mark? Answering this might bring you potential solutions. You're asking the wrong question.CommentedMay 23, 2016 at 5:56
  • 2
    The mark is only visible on the machine it gets set.It is not possible to see that mark on the other machine. If you wish to address a specific problem, please mention it. Otherwise, find something more useful to do as the ping's mark option does not do what you want.CommentedMay 23, 2016 at 6:55
4

@Julie Pelletier's answer is 100% correct, but probably not very understandable to you.

First, as mentioned several times in the comments, the mark isnot put into the ethernet packet on the wire. So if you ping server B from server A, server B will not ever be able to detect the mark. If you want to do anything, you'll have to use server A alone. So, you'll have to insert/append a rule to the OUTPUT chain of thesender to see anything.

Now, let's see how to useiptables. First, we want to see which rules are active in OUTPUT:

root@roran:~# iptables -L OUTPUT -n -vChain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination                                                                                           root@roran:~#

Ok, no rules. Let's define a rule:

root@roran:~# iptables -I OUTPUT -m mark --mark 0xa -j ACCEPTroot@roran:~#

As you see, no output. But the kernel table has an entry now:

root@roran:~# iptables -L OUTPUT -n -vChain OUTPUT (policy ACCEPT 177 packets, 120K bytes) pkts bytes target     prot opt in     out     source               destination                                                                                               0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  mark match 0xaroot@roran:~#

The columns "pkts" and "bytes" are both 0, as no packets have gone out yet. Now, ping a different server,without setting a mark:

root@roran:~# ping -c 1 bermudaPING bermuda (192.168.178.2) 56(84) bytes of data.64 bytes from bermuda (192.168.178.2): icmp_seq=1 ttl=64 time=0.331 ms[... some more lines omitted]

After that, the kernel table still hasn't matched anything:

root@roran:~# iptables -L OUTPUT -n -vChain OUTPUT (policy ACCEPT 348 packets, 160K bytes) pkts bytes target     prot opt in     out     source               destination                                                                                               0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  mark match 0xaroot@roran:~#

Next, try pinging with a mark set:

root@roran:~# ping -m 10 -c 1 bermudaPING bermuda (192.168.178.2) 56(84) bytes of data.64 bytes from bermuda (192.168.178.2): icmp_seq=1 ttl=64 time=0.324 ms[... some more lines omitted]

and look at the table again:

root@roran:~# iptables -L OUTPUT -n -vChain OUTPUT (policy ACCEPT 631 packets, 319K bytes) pkts bytes target     prot opt in     out     source               destination                                                                                               1    84 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  mark match 0xaroot@roran:~#

Now, the rule has found one packet, which had 84 bytes.

If you want to experiment, after this, doiptables -F OUTPUT to clear the table;iptables -I OUTPUT -m mark --mark 0x0a -j REJECT to prevent marked packets from going out of your machine, then ping the other machine with and without mark. You'll see the marked packets not getting a reply, now, as the rule drops them.

answeredMay 23, 2016 at 12:16
Guntram Blohm's user avatar
2
  • Then what is the use of mark in ping packets ?CommentedMay 24, 2016 at 3:23
  • 1
    Marks are used with tc to do QoS / Traffic shaping, and when you have multiple routing table to do load balancing for example.CommentedMay 24, 2016 at 15:46

You mustlog in to answer this question.