Community discussions

 
rubelahammad
just joined
Topic Author
Posts: 7
Joined: Thu Mar 14, 2019 11:28 am

Mark packet of certain website

Thu Mar 14, 2019 1:22 pm

Hi,

I am trying to mark packets of upload and download from/to a particular site using the following script.
> /ip firewall mangle print 
Flags: X - disabled, I - invalid, D - dynamic 
0     ;;; SERVER.COM
      chain=prerouting action=add-dst-to-address-list address-list=server address-list-timeout=none-dynamic in-interface=LAN content=server.com

1     ;;; no-mark
      chain=forward action=mark-connection new-connection-mark=no-mark passthrough=yes 

2     ;;; UPLOAD
      chain=forward action=mark-connection new-connection-mark=UPLOAD passthrough=yes dst-address-list=server out-interface=WAN

3     ;;; UPLOAD
      chain=forward action=mark-packet new-packet-mark=UPLOAD passthrough=no connection-mark=UPLOAD

4     ;;; DOWNLOAD
      chain=forward action=mark-connection new-connection-mark=DOWNLOAD passthrough=yes src-address-list=server in-interface=WAN

5     ;;; DOWNLOAD
      chain=forward action=mark-packet new-packet-mark=DOWNLOAD passthrough=no connection-mark=DOWNLOAD
    

My questions:
1. Could anyone please confirm if the following script should work?
2. If I disable the second (#2) connection marking in the script above, I think the script is not marking packets correctly. I am thinking like this because, I assume a single connection is used for transmitting both upload and download packets and thus, for subsequent upload/download packets, the connection marking remains unchanged.
3. If I use 'connection-state=new' while marking connections in the above script, should the behaviour remain same?

Thanks in advance.
 
Sob
Forum Guru
Forum Guru
Posts: 4780
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mark packet of certain website

Thu Mar 14, 2019 4:36 pm

It looks like it should work. But it's not nice at all, you're changing connection mark twice for every single packet. First you remove connection mark (#1) and then every outgoing packet changes connection mark to UPLOAD (#2) and every incoming packet changes it again to DOWNLOAD (#4), of course only after it's removed (#1). It doesn't make sense, you need only one connection mark, it's enough to set it once and it will stick.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
rubelahammad
just joined
Topic Author
Posts: 7
Joined: Thu Mar 14, 2019 11:28 am

Re: Mark packet of certain website

Tue Mar 19, 2019 10:56 am

It looks like it should work. But it's not nice at all, you're changing connection mark twice for every single packet. First you remove connection mark (#1) and then every outgoing packet changes connection mark to UPLOAD (#2) and every incoming packet changes it again to DOWNLOAD (#4), of course only after it's removed (#1). It doesn't make sense, you need only one connection mark, it's enough to set it once and it will stick.
Thanks for your response. I tried to improve the rules. Could you please check the following rules?
 1    ;;; server.com
      chain=prerouting action=add-dst-to-address-list address-list=Server address-list-timeout=none-dynamic in-interface=LAN content=server.com

 2    ;;; SERVER_CONN
      chain=forward action=mark-connection new-connection-mark=SERVER_CONN passthrough=yes connection-state=new dst-address-list=Server

 3    ;;; UPLOAD
      chain=forward action=mark-packet new-packet-mark=UPLOAD passthrough=no connection-mark=SERVER_CONN out-interface=WAN

 4    ;;; SERVER_CONN
      chain=forward action=mark-connection new-connection-mark=SERVER_CONN passthrough=yes connection-state=new src-address-list=Server

 5    ;;; DOWNLOAD
      chain=forward action=mark-packet new-packet-mark=DOWNLOAD passthrough=no connection-mark=SERVER_CONN in-interface=WAN
Question:
Do I need the rule #4 in the above script? I am asking this because, I assume there is no possibility that a new connection was ever created from server.com, Am I right?

Thanks again.
 
pateutz
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Wed Jan 11, 2012 5:55 pm

Re: Mark packet of certain website

Tue Mar 19, 2019 11:07 am

Hi

Do not forget to disable fast path if you want that marking packet to work.

All the best

Daniel
 
Sob
Forum Guru
Forum Guru
Posts: 4780
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mark packet of certain website

Tue Mar 19, 2019 3:10 pm

You don't need #4, because it's exactly the same as #2, one is enough.

One small problem with connection-state=new in #2 is that it will miss the very first connection that added address in list (unless it was something non-tcp with "server.com" in first packet). You could change it to connection-mark=no-mark, but it would be checking address list for too many packets, so it's not perfect either.

You can also rethink if you really want to look for "server.com" in all outgoing packets, regardless of protocol and port.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
rubelahammad
just joined
Topic Author
Posts: 7
Joined: Thu Mar 14, 2019 11:28 am

Re: Mark packet of certain website

Mon Apr 01, 2019 2:03 pm

You don't need #4, because it's exactly the same as #2, one is enough.

One small problem with connection-state=new in #2 is that it will miss the very first connection that added address in list (unless it was something non-tcp with "server.com" in first packet). You could change it to connection-mark=no-mark, but it would be checking address list for too many packets, so it's not perfect either.

You can also rethink if you really want to look for "server.com" in all outgoing packets, regardless of protocol and port.
1.
#2 as dst-address-list=Server but #4 has dst-address-list=Server, So I think they are not same. Please correct me if I am wrong.

2.
#1 is adding the address in 'prerouting' chain, #2 is checking the list in forward chain. I was under impression that if I add the address in prerouting chain the new address added would be visible in 'forward' chain. That is why I did it this way. Please suggest if my assumption was wrong.

3. Yes, I agree, I should add protocol and/or port to improve it.

Thanks.
 
Sob
Forum Guru
Forum Guru
Posts: 4780
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mark packet of certain website

Thu Apr 04, 2019 4:24 am

1) Sorry, I missed that. You'd only need #4 if you expect server to open new connections back to you.

2) Your assumption is partially correct. If #1 adds address to list, #2 will immediately see it, but only if #1 matched the very first packet of connection. Which would be true e.g. for dns queries, but not for tcp connections.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: Google [Bot] and 25 guests