Page 1 of 1
Connection mark in custom chain
Posted: Wed Nov 28, 2007 1:09 pm
by cpresto
Hi all,
as described in previous post
http://forum.mikrotik.com/viewtopic.php?f=2&t=20107,
it seems that conneciton-mark doesn't work properly in chains different from MT defined ones.
E.g., using a custom chain, called "known", to identify traffic with dest-port<1024, ftp connections in passive mode are not matched when ftp server change its listening port. Instead, using the prerouting chain, everything works fine. Any idea
Re: Connection mark in custom chain
Posted: Wed Nov 28, 2007 5:23 pm
by galaxynet
cpresto -
First - double post - folks probably didn't answer the first time because what you have doesn't make sense, is doesn't make sense the second time either....
Second, don't send us the 'add' command, show us what the router has by using terminal mode and 'dumping' them to a screen that you can copy and paste here. Showing us the add portion only let's us know that you 'added' it, there is no sense as to where this has been added in the chain(s) (order). Rule order is what this is all about.
Third - what is your goal here? Are you using multiple gateways and are trying to force traffic out a particular gateway, or maybe queuing traffic to establish some sort of QoS, or limit certain types of traffic, etc.... What?
What are you using? ROS on a PC. ROS on an RB? What version of ROS are you using? 2.9.48, 3.10rc - what?
Go to the service ports in /ip fireawall service-ports and make sure the helpers there that you want to use are enabled (ftp, h323, gre, etc).
Mangle -
The best way to mark traffic is to first mark the connection, then mark the packets. Then you can filter based on your needs (queues like parket marks - other portions favor connection marks... In the end doing it this way also is an efficient use of router resources).
What it looks like you are trying to do is mark everthing that has a destination port of <1024 both TCP and UDP. Here is a sample set for tcp....
0 chain=prerouting protocol=tcp dst-port=0-1024 connection-state=established action=mark-connection
new-connection-mark=test passthrough=yes
1 chain=prerouting protocol=tcp dst-port=0-1024 connection-state=new action=mark-connection new-connection-mark=test
passthrough=yes
2 chain=prerouting protocol=tcp dst-port=0-1024 connection-state=related action=mark-connection
new-connection-mark=test passthrough=yes
3 chain=prerouting connection-mark=test action=mark-packet new-packet-mark=test_packet_mark passthrough=yes
4 chain=prerouting packet-mark=test_packet_mark action=jump jump-target=known (you could also use connection mark here instead of packet mark....)
5 chain=known packet-mark=test_packet_mark action=mark-routing new-routing-mark=test_routing_mark passthrough=no (you could also use connection mark here instead of packet mark....)
In the above rule set there is no interface 'selected' as you didn't indicate one. I use the 'in-interface' portion in my rules sets. Typically you would mark your out going traffic to keep it going out the same gateway. Sometimes however (and this what it looks like you are trying to achieve) is marking traffic coming 'in' to the router being forwarded (like ftp) to a server, and then 'marking' the servers reply so that the connections enter/leave a particular gateway.
Thom
Re: Connection mark in custom chain
Posted: Wed Nov 28, 2007 6:01 pm
by cpresto
Thank you galaxynet for reply.
First - double post - I've double posted because I thought the first was not clear enough... also this seems to have the same problem
Second - I've done a cut/paste operation because I thought that this compact might be easier to read.
I've several ADSL ethernet router connected to several MT interfaces, and what I currently do is to let customers do traffic on different lines, based on their IP address and type of traffic: known traffic (tcp, udp < 1024, VNC, Remote descktop, MSN, etc...) and unknown traffic (Rapidshare, P2P).
Known traffic does not go inside a queue, so mark-packet should not be needed, Unknown traffic goes through a queue.
Please find here below all mangles applied
/ ip firewall mangle
add chain=forward action=log connection-state=new out-interface=!Auth \
dst-address=!172.21.0.0/16 dst-port=!4662 protocol=tcp \
src-address-list=PPPoE_Clienti log-prefix="p2k" comment="" disabled=no
add chain=input action=accept dst-port=8291 protocol=tcp comment="WinBox" \
disabled=no
add chain=prerouting action=accept dst-port=8291 protocol=tcp comment="" \
disabled=no
add chain=forward action=accept dst-port=8291 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=accept src-address=81.174.63.xx comment="traffico \
varapodio" disabled=no
add chain=prerouting action=accept dst-address=81.174.63.xx comment="" \
disabled=no
add chain=prerouting action=accept dst-port=8000 protocol=tcp comment="CPE web \
management" disabled=no
add chain=prerouting action=accept src-port=8000 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=accept src-address=192.168.5.98 \
dst-address=172.21.254.6 comment="" disabled=no
add chain=prerouting action=accept protocol=icmp dst-address-list=management \
comment="ICMP" disabled=no
add chain=prerouting action=jump jump-target=known protocol=icmp comment="" \
disabled=no
add chain=prerouting action=jump jump-target=unknown protocol=tcp \
dst-address-list=rapidshare comment="###### RAPIDSHARE" disabled=no
add chain=prerouting action=jump jump-target=unknown protocol=tcp \
src-address-list=rapidshare comment="" disabled=no
add chain=prerouting action=jump jump-target=unknown protocol=tcp \
src-address-list=megaupload comment="###### Megaupload " disabled=no
add chain=prerouting action=jump jump-target=unknown protocol=tcp \
dst-address-list=megaupload comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=knowntest \
passthrough=yes src-address=172.21.254.222 comment="" disabled=yes
add chain=prerouting action=mark-routing new-routing-mark=vs-Telecom \
passthrough=no src-address=172.21.254.222 protocol=tcp \
connection-mark=knowntest comment="" disabled=yes
add chain=prerouting action=jump jump-target=known dst-port=110 protocol=tcp \
comment="" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=0-1024 \
protocol=tcp comment="###### TCP < 1024" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=0-1024 \
protocol=udp comment="###### UDP < 1024" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=8899 protocol=tcp \
comment="###### DUDE" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=1200-1281 \
protocol=tcp comment="###### Porte MSN" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=1862 protocol=tcp \
comment="" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=1863 protocol=tcp \
comment="" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=2210 protocol=tcp \
comment="" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=6821-6900 \
protocol=tcp comment="" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=9000-9010 \
protocol=tcp comment="" disabled=no
add chain=prerouting action=jump jump-target=known src-address=192.168.3.12 \
comment="## Rocco Lombardo tutto KNOWN !!!!!!!" disabled=no
add chain=prerouting action=jump jump-target=known src-address=192.168.3.11 \
comment="## fabio tutto KNOWN !!!!!!!" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=110 protocol=tcp \
comment="###### Traffico POP3" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=8050 protocol=tcp \
comment="###### Videocamera Comune Saponara" disabled=no
add chain=prerouting action=jump jump-target=known src-port=8050 protocol=tcp \
dst-address-list=!management comment="" disabled=no
add chain=prerouting action=jump jump-target=known src-address=192.168.9.17 \
comment="###### Carroccio quando cassisi down" disabled=no
add chain=prerouting action=jump jump-target=known dst-address=65.54.239.20 \
comment="###### Server Login MSN" disabled=no
add chain=prerouting action=jump jump-target=known dst-address=65.54.183.202 \
comment="" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=5060-5061 \
protocol=udp comment="###### VOIP" disabled=no
add chain=prerouting action=jump jump-target=known src-port=5060-5061 \
protocol=udp comment="" disabled=no
add chain=prerouting action=jump jump-target=known src-address=172.21.254.250 \
comment="" disabled=no
add chain=prerouting action=jump jump-target=known dst-address=172.21.254.250 \
comment="" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=5900-5901 \
protocol=tcp dst-address-list=!management comment="###### VNC" \
disabled=no
add chain=prerouting action=jump jump-target=known src-port=5900-5901 \
protocol=tcp dst-address-list=!management comment="" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=3389 protocol=tcp \
comment="###### Desktop Remoto" disabled=no
add chain=prerouting action=jump jump-target=known src-port=3389 protocol=tcp \
comment="" disabled=no
add chain=prerouting action=jump jump-target=known dst-address=89.119.211.62 \
comment="###### PPTP Bandiera" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=11999 protocol=tcp \
comment="###### Yahoo Giochi" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=8999 protocol=tcp \
comment="###### Scuola Saponara" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=14601-14603 \
protocol=tcp comment="###### Porte sito Photocity" disabled=no
add chain=prerouting action=jump jump-target=known src-port=9443 protocol=tcp \
comment="###### G.Pino Porte X Sito SKY" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=6100 protocol=tcp \
comment="###### Trischitta Videosorveglianza" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=6550 protocol=tcp \
comment="###### Supermercato GM" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=6551 protocol=tcp \
comment="" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=6996 protocol=tcp \
comment="" disabled=no
add chain=prerouting action=jump jump-target=known dst-address=213.61.92.197 \
protocol=tcp comment="ftp AsRock" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=9443 protocol=tcp \
comment="" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=12975 protocol=tcp \
comment="hamachi" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=32976 protocol=tcp \
comment="" disabled=no
add chain=prerouting action=jump jump-target=known connection-type=ftp \
comment="Mark FTP come know" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=knowntest \
passthrough=yes src-address=192.168.5.99 comment="Test" disabled=yes
add chain=prerouting action=mark-connection new-connection-mark=knowntest \
passthrough=yes src-address=172.21.254.149 comment="" disabled=yes
add chain=prerouting action=mark-routing new-routing-mark=vs-Telecom \
passthrough=no src-address=172.21.254.149 connection-mark=knowntest \
comment="" disabled=yes
add chain=prerouting action=jump jump-target=unknown connection-mark=!known \
comment="########### Jump alla chain UNKNOWN \
###############" disabled=no
add chain=known action=passthrough \
comment="######################################## \
CHAIN KNOWN \
###########################################" disabled=no
add chain=known action=mark-connection new-connection-mark=known \
passthrough=yes comment="Mark Connection" disabled=no
add chain=known action=mark-packet new-packet-mark=known passthrough=yes \
comment="" disabled=no
add chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=no \
dst-address=85.33.2.56 dst-port=110 protocol=tcp comment="Mark POP3 \
telecom " disabled=no
add chain=known action=mark-routing new-routing-mark=posta-su-NGI \
passthrough=no dst-address=88.149.128.13 dst-port=25 protocol=tcp \
comment="Mark servers SMTP: smtp.ngi.it, out.alice.it, smtp.fastweb.it, \
out.virgilio.it, box.tin.it" disabled=no
add chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=no \
dst-address=85.33.2.55 dst-port=25 protocol=tcp comment="" disabled=no
add chain=known action=mark-routing new-routing-mark=posta-su-FW \
passthrough=no dst-address=85.18.95.140 dst-port=25 protocol=tcp \
comment="" disabled=no
add chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=no \
dst-address=62.211.72.20 dst-port=25 protocol=tcp comment="" disabled=no
add chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=no \
dst-address=85.33.2.55 dst-port=25 protocol=tcp comment="" disabled=no
add chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=no \
dst-address=62.211.72.30 dst-port=25 protocol=tcp comment="" disabled=no
add chain=known action=passthrough comment="####### NGI ########" \
disabled=no
add chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=no \
src-address=192.168.5.33 connection-mark=known comment=" ### Arte in \
ferro \( Mail Virgilio In \) #############*************** problema posta" \
disabled=yes
add chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=no \
src-address=172.21.254.250 connection-mark=known comment=" ### VOIP \
ufficio " disabled=no
add chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no \
src-address=192.168.3.0/24 connection-mark=known comment=" ### \
Classe 3.0, da Nicola" disabled=no
add chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no \
src-address=192.168.4.0/24 connection-mark=known comment=" ### \
Classe 4.0, da Nicola" disabled=no
add chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no \
src-address=192.168.5.0/24 connection-mark=known \
dst-address-list=!management comment=" ### Classe 5.0, auth su P2K" \
disabled=no
add chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no \
src-address=192.168.6.0/24 connection-mark=known comment=" ### \
Classe 6.0, da Nicola" disabled=no
add chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no \
src-address=192.168.7.0/24 connection-mark=known comment=" ### \
Classe 7.0, da Pace del Mela" disabled=no
add chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no \
src-address=88.149.204.xxx-88.149.204.xxx dst-address-list=!management \
comment=" ### mark vs NGI pubblici clienti \(Tecnospace, H.Terme, \
Server posta\)" disabled=no
add chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no \
src-address=172.21.254.0/24 connection-mark=known \
dst-address-list=!management comment=" ### Ufficio" disabled=no
add chain=known action=passthrough comment="####### TELECOM \
########" disabled=no
add chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=no \
connection-mark=knownTI comment=" ### TEST Fabio" disabled=no
add chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=no \
src-address=192.168.9.0/24 connection-mark=known comment=" ### \
Classe 9.0, da Serro, quando Cassisi is Down" disabled=no
add chain=prerouting action=jump jump-target=known dst-address=87.248.217.214 \
protocol=tcp comment="Shan Lifu" disabled=no
add chain=prerouting action=jump jump-target=known src-address=87.248.217.214 \
protocol=tcp comment="" disabled=no
add chain=prerouting action=jump jump-target=unknown connection-mark=!known \
comment="" disabled=no
add chain=unknown action=passthrough \
comment="######################################## \
CHAIN UNKNOWN \
###########################################" disabled=no
add chain=unknown action=mark-connection new-connection-mark=unknown \
passthrough=yes comment="Mark Connection" disabled=no
add chain=unknown action=mark-packet new-packet-mark=unknown passthrough=yes \
comment="" disabled=no
add chain=unknown action=mark-routing new-routing-mark=vs-Telecom \
passthrough=no src-address=172.21.254.99 connection-mark=unknown \
comment="Verso Telecom host VPN Tonino" disabled=no
add chain=unknown action=mark-routing new-routing-mark=posta-su-FW \
passthrough=no src-address=172.21.254.222 connection-mark=unknown \
comment="Verso Fastweb P2P Ufficio" disabled=yes
add chain=unknown action=mark-routing new-routing-mark=unknown passthrough=no \
packet-mark=unknown src-address-list=PPPoE_Clienti comment="vs FW" \
disabled=no
add chain=postrouting action=change-mss new-mss=1380 tcp-flags=syn \
src-address=192.168.6.7 protocol=tcp comment="Cosimo Mavilia" disabled=no
add chain=postrouting action=change-mss new-mss=1360 tcp-flags=syn \
src-address=213.156.51.2 protocol=tcp comment="Sito Santander" disabled=no
add chain=postrouting action=change-mss new-mss=1360 tcp-flags=syn \
dst-address=213.156.51.2 protocol=tcp comment="" disabled=no
add chain=postrouting action=change-mss new-mss=1380 tcp-flags=syn \
dst-address=192.168.6.7 protocol=tcp comment="" disabled=no
add chain=postrouting action=change-mss new-mss=1360 tcp-flags=syn \
src-address=192.168.6.4 protocol=tcp comment="Cipriano" disabled=no
add chain=postrouting action=change-mss new-mss=1360 tcp-flags=syn \
dst-address=192.168.6.4 protocol=tcp comment="" disabled=no
add chain=postrouting action=change-mss new-mss=1360 tcp-flags=syn \
protocol=tcp src-address-list="change MSS" comment="Prova per \
sito############" disabled=no
Re: Connection mark in custom chain
Posted: Wed Nov 28, 2007 8:14 pm
by galaxynet
cpresto -
The above is an 'export' of your config, that's why the 'add' is in there. These do not necessarily indicated the 'order' in which the rules are applied.... Instead do a;
/ip firewall mangle [chain] print e.g. /ip firewall mangle prerouting print
Do the same for your remaining tables. This will print the rules, in order, in each table.
Right now it looks like the order is the issue but I can't be sure until I see how your router sees the rules....
Thom
Re: Connection mark in custom chain
Posted: Thu Nov 29, 2007 3:27 am
by Chupaka
cpresto, sorry, I did not read your whole posts - there is too many letters =)
as for FTP: this protocol do not change ports, it establishes _new_ connection for data transfer, with ports > 1024. you may identify these connections with Connection State = related, if ftp helper is enabled in Firewall - Services. so, jump to "known" on port < 1024 _or_ conn-state=related =)
Re: Connection mark in custom chain
Posted: Fri Nov 30, 2007 10:26 am
by cpresto
Thank you Chupaka,
Ip/Firewall/service-ports seems to be ok:
[admin@AdiesselleP2K] ip firewall service-port> print
Flags: X - disabled, I - invalid
# NAME PORTS
0 ftp 21
1 tftp 69
2 irc 6667
3 X h323
4 quake3
5 X gre
6 X pptp
Thank you galaxynet,
please find here below all involved chain.
[admin@AdiesselleP2K] ip firewall mangle> print prerouting
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=accept dst-port=8291 protocol=tcp
1 ;;; traffico varapodio
chain=prerouting action=accept src-address=81.174.63.xx
2 chain=prerouting action=accept dst-address=81.174.63.xx
3 ;;; CPE web management
chain=prerouting action=accept dst-port=8000 protocol=tcp
4 chain=prerouting action=accept src-port=8000 protocol=tcp
5 ;;; ICMP
chain=prerouting action=accept protocol=icmp dst-address-list=management
6 chain=prerouting action=jump jump-target=known protocol=icmp
7 ;;; ###### RAPIDSHARE
chain=prerouting action=jump jump-target=unknown protocol=tcp
dst-address-list=rapidshare
8 chain=prerouting action=jump jump-target=unknown protocol=tcp
src-address-list=rapidshare
9 X ;;; ####### AKAMAI
chain=prerouting action=jump jump-target=unknown dst-address-list=akamai
10 X chain=prerouting action=jump jump-target=unknown src-address-list=akamai
11 ;;; ###### MEGAUPLOAD
chain=prerouting action=jump jump-target=unknown protocol=tcp
src-address-list=megaupload
12 chain=prerouting action=jump jump-target=unknown protocol=tcp
dst-address-list=megaupload
13 chain=prerouting action=jump jump-target=known dst-port=110 protocol=tcp
14 ;;; ###### TCP < 1024
chain=prerouting action=jump jump-target=known dst-port=0-1024
protocol=tcp
15 ;;; ###### UDP < 1024
chain=prerouting action=jump jump-target=known dst-port=0-1024
protocol=udp
16 ;;; ###### VOIP
chain=prerouting action=jump jump-target=known src-port=5060
dst-port=5061 protocol=udp
17 chain=prerouting action=jump jump-target=known dst-address=212.97.59.91
src-port=5004-5007 protocol=udp
18 ;;; ###### DUDE
chain=prerouting action=jump jump-target=known dst-port=8899
protocol=tcp
19 ;;; ###### Ghizzoni Videocamere
chain=prerouting action=jump jump-target=known
src-address=88.149.204.xxx src-port=80 protocol=tcp
dst-address-list=!management
20 chain=prerouting action=jump jump-target=known src-address=88.149.204.xxx
src-port=8085 protocol=tcp dst-address-list=!management
21 ;;; ###### Porte MSN
chain=prerouting action=jump jump-target=known dst-port=1200-1281
protocol=tcp
22 chain=prerouting action=jump jump-target=known dst-port=1862 protocol=tcp
23 chain=prerouting action=jump jump-target=known dst-port=1863 protocol=tcp
24 chain=prerouting action=jump jump-target=known dst-port=2210 protocol=tcp
25 chain=prerouting action=jump jump-target=known dst-port=6821-6900
protocol=tcp
26 chain=prerouting action=jump jump-target=known dst-port=9000-9010
protocol=tcp
27 ;;; VOIP Ufficio
chain=prerouting action=jump jump-target=known
src-address=172.21.254.250
28 ;;; ## Rocco Lombardo tutto KNOWN !!!!!!!
chain=prerouting action=jump jump-target=known src-address=192.168.3.12
29 ;;; ## fabio tutto KNOWN !!!!!!!
chain=prerouting action=jump jump-target=known src-address=192.168.3.11
30 ;;; ###### Traffico POP3
chain=prerouting action=jump jump-target=known dst-port=110 protocol=tcp
31 ;;; ###### Videocamera Comune Saponara
chain=prerouting action=jump jump-target=known dst-port=8050
protocol=tcp
32 chain=prerouting action=jump jump-target=known src-port=8050 protocol=tcp
dst-address-list=!management
33 ;;; ###### Carroccio quando cassisi down
chain=prerouting action=jump jump-target=known src-address=192.168.9.17
34 ;;; ###### Server Login MSN
chain=prerouting action=jump jump-target=known dst-address=65.54.239.20
35 chain=prerouting action=jump jump-target=known dst-address=65.54.183.202
36 X ;;; ###### VOIP
chain=prerouting action=jump jump-target=known dst-port=5060-5061
protocol=udp
37 X chain=prerouting action=jump jump-target=known src-port=5060-5061
protocol=udp
38 ;;; ###### VNC
chain=prerouting action=jump jump-target=known dst-port=5900-5901
protocol=tcp dst-address-list=!management
39 chain=prerouting action=jump jump-target=known src-port=5900-5901
protocol=tcp dst-address-list=!management
40 ;;; ###### Desktop Remoto
chain=prerouting action=jump jump-target=known dst-port=3389
protocol=tcp
41 chain=prerouting action=jump jump-target=known src-port=3389 protocol=tcp
42 ;;; ###### PPTP Bandiera
chain=prerouting action=jump jump-target=known dst-address=89.119.211.62
43 ;;; ###### Yahoo Giochi
chain=prerouting action=jump jump-target=known dst-port=11999
protocol=tcp
44 ;;; ###### Scuola Saponara
chain=prerouting action=jump jump-target=known dst-port=8999
protocol=tcp
45 ;;; ###### Porte sito Photocity
chain=prerouting action=jump jump-target=known dst-port=14601-14603
protocol=tcp
46 ;;; ###### G.Pino Porte X Sito SKY
chain=prerouting action=jump jump-target=known src-port=9443
protocol=tcp
47 ;;; ###### Trischitta Videosorveglianza
chain=prerouting action=jump jump-target=known dst-port=6100
protocol=tcp
48 ;;; ###### Supermercato GM
chain=prerouting action=jump jump-target=known dst-port=6550
protocol=tcp
49 chain=prerouting action=jump jump-target=known dst-port=6551 protocol=tcp
50 chain=prerouting action=jump jump-target=known dst-port=6996 protocol=tcp
51 ;;; ftp AsRock
chain=prerouting action=jump jump-target=known dst-address=213.61.92.197
protocol=tcp
52 chain=prerouting action=jump jump-target=known dst-port=9443 protocol=tcp
53 ;;; hamachi
chain=prerouting action=jump jump-target=known dst-port=12975
protocol=tcp
54 chain=prerouting action=jump jump-target=known dst-port=32976 protocol=tc>
55 ;;; Mark FTP come know
chain=prerouting action=jump jump-target=known connection-type=ftp
56 X ;;; Test
chain=prerouting action=mark-connection new-connection-mark=knowntest
passthrough=yes src-address=192.168.5.99
57 X chain=prerouting action=mark-connection new-connection-mark=knowntest
passthrough=yes src-address=172.21.254.149
58 X chain=prerouting action=mark-routing new-routing-mark=vs-Telecom
passthrough=no src-address=172.21.254.149 connection-mark=knowntest
59 ;;; ########### Jump alla chain UNKNOWN ###############
chain=prerouting action=jump jump-target=unknown connection-mark=!known
60 ;;; Shan Lifu
chain=prerouting action=jump jump-target=known
dst-address=87.248.217.214 protocol=tcp
61 chain=prerouting action=jump jump-target=known src-address=87.248.217.214
protocol=tcp
62 chain=prerouting action=jump jump-target=unknown connection-mark=!known
[admin@AdiesselleP2K] ip firewall mangle> print known
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; ######################################## CHAI>
NOWN ###########################################
chain=known action=passthrough
1 ;;; Mark Connection
chain=known action=mark-connection new-connection-mark=known
passthrough=yes
2 chain=known action=mark-packet new-packet-mark=known passthrough=yes
3 ;;; Mark POP3 telecom. in.aliceposta.it, box.tin.it, in.virgilio.it
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no dst-address=85.33.2.56 dst-port=110 protocol=tcp
4 chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=n>
dst-address=62.211.72.30 dst-port=110 protocol=tcp
5 ;;; Mark servers SMTP: smtp.ngi.it, out.alice.it, smtp.fastweb.it, out.v>
ilio.it, box.tin.it
chain=known action=mark-routing new-routing-mark=posta-su-NGI
passthrough=no dst-address=88.149.128.13 dst-port=25 protocol=tcp
6 chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=n>
dst-address=85.33.2.55 dst-port=25 protocol=tcp
7 chain=known action=mark-routing new-routing-mark=posta-su-FW
passthrough=no dst-address=85.18.95.140 dst-port=25 protocol=tcp
8 chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=n>
dst-address=62.211.72.20 dst-port=25 protocol=tcp
9 chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=n>
dst-address=85.33.2.55 dst-port=25 protocol=tcp
10 chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=n>
dst-address=62.211.72.30 dst-port=25 protocol=tcp
11 ;;; ####### NGI ########
chain=known action=passthrough
12 X ;;; ### Arte in ferro ( Mail Virgilio In ) #############************>
problema posta
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no src-address=192.168.5.33 connection-mark=known
13 ;;; ### VOIP ufficio
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no src-address=172.21.254.250 connection-mark=known
14 ;;; ### Classe 4.0, da Nicola
chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no
src-address=192.168.4.0/24 connection-mark=known
15 ;;; ### Classe 5.0, auth su P2K
chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no
src-address=192.168.5.0/24 connection-mark=known
dst-address-list=!management
16 ;;; ### Classe 6.0, da Nicola
chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no
src-address=192.168.6.0/24 connection-mark=known
17 ;;; ### mark vs NGI pubblici clienti (Tecnospace, H.Terme, Server >
ta)
chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no
src-address=88.149.204.xxx-88.149.204.xxx dst-address-list=!management
18 ;;; ### Ufficio
chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no
src-address=172.21.254.0/24 connection-mark=known
dst-address-list=!management
19 ;;; ####### TELECOM ########
chain=known action=passthrough
20 ;;; ### TEST Fabio
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no connection-mark=knownTI
21 ;;; ### Classe 7.0, da Pace del Mela
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no src-address=192.168.7.0/24 connection-mark=known
22 ;;; ### Classe 3.0, da Nicola
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no src-address=192.168.3.0/24 connection-mark=known
23 ;;; ### Classe 9.0, da Serro, quando Cassisi is Down
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no src-address=192.168.9.0/24 connection-mark=known
Thank you Chupaka,
Ip/Firewall/service-ports seems to be ok:
[code][admin@AdiesselleP2K] ip firewall service-port> print
Flags: X - disabled, I - invalid
# NAME PORTS
0 ftp 21
1 tftp 69
2 irc 6667
3 X h323
4 quake3
5 X gre
6 X pptp
Thank you galaxynet,
please find here below all involved chain.
[admin@AdiesselleP2K] ip firewall mangle> print prerouting
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=accept dst-port=8291 protocol=tcp
1 ;;; traffico varapodio
chain=prerouting action=accept src-address=81.174.63.xx
2 chain=prerouting action=accept dst-address=81.174.63.xx
3 ;;; CPE web management
chain=prerouting action=accept dst-port=8000 protocol=tcp
4 chain=prerouting action=accept src-port=8000 protocol=tcp
5 ;;; ICMP
chain=prerouting action=accept protocol=icmp dst-address-list=management
6 chain=prerouting action=jump jump-target=known protocol=icmp
7 ;;; ###### RAPIDSHARE
chain=prerouting action=jump jump-target=unknown protocol=tcp
dst-address-list=rapidshare
8 chain=prerouting action=jump jump-target=unknown protocol=tcp
src-address-list=rapidshare
9 X ;;; ####### AKAMAI
chain=prerouting action=jump jump-target=unknown dst-address-list=akamai
10 X chain=prerouting action=jump jump-target=unknown src-address-list=akamai
11 ;;; ###### MEGAUPLOAD
chain=prerouting action=jump jump-target=unknown protocol=tcp
src-address-list=megaupload
12 chain=prerouting action=jump jump-target=unknown protocol=tcp
dst-address-list=megaupload
13 chain=prerouting action=jump jump-target=known dst-port=110 protocol=tcp
14 ;;; ###### TCP < 1024
chain=prerouting action=jump jump-target=known dst-port=0-1024
protocol=tcp
15 ;;; ###### UDP < 1024
chain=prerouting action=jump jump-target=known dst-port=0-1024
protocol=udp
16 ;;; ###### VOIP
chain=prerouting action=jump jump-target=known src-port=5060
dst-port=5061 protocol=udp
17 chain=prerouting action=jump jump-target=known dst-address=212.97.59.91
src-port=5004-5007 protocol=udp
18 ;;; ###### DUDE
chain=prerouting action=jump jump-target=known dst-port=8899
protocol=tcp
19 ;;; ###### Ghizzoni Videocamere
chain=prerouting action=jump jump-target=known
src-address=88.149.204.xxx src-port=80 protocol=tcp
dst-address-list=!management
20 chain=prerouting action=jump jump-target=known src-address=88.149.204.xxx
src-port=8085 protocol=tcp dst-address-list=!management
21 ;;; ###### Porte MSN
chain=prerouting action=jump jump-target=known dst-port=1200-1281
protocol=tcp
22 chain=prerouting action=jump jump-target=known dst-port=1862 protocol=tcp
23 chain=prerouting action=jump jump-target=known dst-port=1863 protocol=tcp
24 chain=prerouting action=jump jump-target=known dst-port=2210 protocol=tcp
25 chain=prerouting action=jump jump-target=known dst-port=6821-6900
protocol=tcp
26 chain=prerouting action=jump jump-target=known dst-port=9000-9010
protocol=tcp
27 ;;; VOIP Ufficio
chain=prerouting action=jump jump-target=known
src-address=172.21.254.250
28 ;;; ## Rocco Lombardo tutto KNOWN !!!!!!!
chain=prerouting action=jump jump-target=known src-address=192.168.3.12
29 ;;; ## fabio tutto KNOWN !!!!!!!
chain=prerouting action=jump jump-target=known src-address=192.168.3.11
30 ;;; ###### Traffico POP3
chain=prerouting action=jump jump-target=known dst-port=110 protocol=tcp
31 ;;; ###### Videocamera Comune Saponara
chain=prerouting action=jump jump-target=known dst-port=8050
protocol=tcp
32 chain=prerouting action=jump jump-target=known src-port=8050 protocol=tcp
dst-address-list=!management
33 ;;; ###### Carroccio quando cassisi down
chain=prerouting action=jump jump-target=known src-address=192.168.9.17
34 ;;; ###### Server Login MSN
chain=prerouting action=jump jump-target=known dst-address=65.54.239.20
35 chain=prerouting action=jump jump-target=known dst-address=65.54.183.202
36 X ;;; ###### VOIP
chain=prerouting action=jump jump-target=known dst-port=5060-5061
protocol=udp
37 X chain=prerouting action=jump jump-target=known src-port=5060-5061
protocol=udp
38 ;;; ###### VNC
chain=prerouting action=jump jump-target=known dst-port=5900-5901
protocol=tcp dst-address-list=!management
39 chain=prerouting action=jump jump-target=known src-port=5900-5901
protocol=tcp dst-address-list=!management
40 ;;; ###### Desktop Remoto
chain=prerouting action=jump jump-target=known dst-port=3389
protocol=tcp
41 chain=prerouting action=jump jump-target=known src-port=3389 protocol=tcp
42 ;;; ###### PPTP Bandiera
chain=prerouting action=jump jump-target=known dst-address=89.119.211.62
43 ;;; ###### Yahoo Giochi
chain=prerouting action=jump jump-target=known dst-port=11999
protocol=tcp
44 ;;; ###### Scuola Saponara
chain=prerouting action=jump jump-target=known dst-port=8999
protocol=tcp
45 ;;; ###### Porte sito Photocity
chain=prerouting action=jump jump-target=known dst-port=14601-14603
protocol=tcp
46 ;;; ###### G.Pino Porte X Sito SKY
chain=prerouting action=jump jump-target=known src-port=9443
protocol=tcp
47 ;;; ###### Trischitta Videosorveglianza
chain=prerouting action=jump jump-target=known dst-port=6100
protocol=tcp
48 ;;; ###### Supermercato GM
chain=prerouting action=jump jump-target=known dst-port=6550
protocol=tcp
49 chain=prerouting action=jump jump-target=known dst-port=6551 protocol=tcp
50 chain=prerouting action=jump jump-target=known dst-port=6996 protocol=tcp
51 ;;; ftp AsRock
chain=prerouting action=jump jump-target=known dst-address=213.61.92.197
protocol=tcp
52 chain=prerouting action=jump jump-target=known dst-port=9443 protocol=tcp
53 ;;; hamachi
chain=prerouting action=jump jump-target=known dst-port=12975
protocol=tcp
54 chain=prerouting action=jump jump-target=known dst-port=32976 protocol=tc>
55 ;;; Mark FTP come know
chain=prerouting action=jump jump-target=known connection-type=ftp
56 X ;;; Test
chain=prerouting action=mark-connection new-connection-mark=knowntest
passthrough=yes src-address=192.168.5.99
57 X chain=prerouting action=mark-connection new-connection-mark=knowntest
passthrough=yes src-address=172.21.254.149
58 X chain=prerouting action=mark-routing new-routing-mark=vs-Telecom
passthrough=no src-address=172.21.254.149 connection-mark=knowntest
59 ;;; ########### Jump alla chain UNKNOWN ###############
chain=prerouting action=jump jump-target=unknown connection-mark=!known
60 ;;; Shan Lifu
chain=prerouting action=jump jump-target=known
dst-address=87.248.217.214 protocol=tcp
61 chain=prerouting action=jump jump-target=known src-address=87.248.217.214
protocol=tcp
62 chain=prerouting action=jump jump-target=unknown connection-mark=!known
[admin@AdiesselleP2K] ip firewall mangle> print known
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; ######################################## CHAI>
NOWN ###########################################
chain=known action=passthrough
1 ;;; Mark Connection
chain=known action=mark-connection new-connection-mark=known
passthrough=yes
2 chain=known action=mark-packet new-packet-mark=known passthrough=yes
3 ;;; Mark POP3 telecom. in.aliceposta.it, box.tin.it, in.virgilio.it
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no dst-address=85.33.2.56 dst-port=110 protocol=tcp
4 chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=n>
dst-address=62.211.72.30 dst-port=110 protocol=tcp
5 ;;; Mark servers SMTP: smtp.ngi.it, out.alice.it, smtp.fastweb.it, out.v>
ilio.it, box.tin.it
chain=known action=mark-routing new-routing-mark=posta-su-NGI
passthrough=no dst-address=88.149.128.13 dst-port=25 protocol=tcp
6 chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=n>
dst-address=85.33.2.55 dst-port=25 protocol=tcp
7 chain=known action=mark-routing new-routing-mark=posta-su-FW
passthrough=no dst-address=85.18.95.140 dst-port=25 protocol=tcp
8 chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=n>
dst-address=62.211.72.20 dst-port=25 protocol=tcp
9 chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=n>
dst-address=85.33.2.55 dst-port=25 protocol=tcp
10 chain=known action=mark-routing new-routing-mark=vs-Telecom passthrough=n>
dst-address=62.211.72.30 dst-port=25 protocol=tcp
11 ;;; ####### NGI ########
chain=known action=passthrough
12 X ;;; ### Arte in ferro ( Mail Virgilio In ) #############************>
problema posta
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no src-address=192.168.5.33 connection-mark=known
13 ;;; ### VOIP ufficio
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no src-address=172.21.254.250 connection-mark=known
14 ;;; ### Classe 4.0, da Nicola
chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no
src-address=192.168.4.0/24 connection-mark=known
15 ;;; ### Classe 5.0, auth su P2K
chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no
src-address=192.168.5.0/24 connection-mark=known
dst-address-list=!management
16 ;;; ### Classe 6.0, da Nicola
chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no
src-address=192.168.6.0/24 connection-mark=known
17 ;;; ### mark vs NGI pubblici clienti (Tecnospace, H.Terme, Server >
ta)
chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no
src-address=88.149.204.xxx-88.149.204.xxx dst-address-list=!management
18 ;;; ### Ufficio
chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no
src-address=172.21.254.0/24 connection-mark=known
dst-address-list=!management
19 ;;; ####### TELECOM ########
chain=known action=passthrough
20 ;;; ### TEST Fabio
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no connection-mark=knownTI
21 ;;; ### Classe 7.0, da Pace del Mela
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no src-address=192.168.7.0/24 connection-mark=known
22 ;;; ### Classe 3.0, da Nicola
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no src-address=192.168.3.0/24 connection-mark=known
23 ;;; ### Classe 9.0, da Serro, quando Cassisi is Down
chain=known action=mark-routing new-routing-mark=vs-Telecom
passthrough=no src-address=192.168.9.0/24 connection-mark=known
Re: Connection mark in custom chain
Posted: Fri Nov 30, 2007 6:36 pm
by galaxynet
cpresto -
Ok - I see now what you are trying to accomplish.... Some of your rules are 'out of order', and I do not see your policy routing rules ( /ip route print and /ip route rule print ).
I can offer some advice that may help you 'slim' this down a little as well as help you to filter that which you don't want.
One thing I did notice - you said that ftp is listening on a port other than 21 - you'll need to update your ip firewall service-port for ftp to reflect the current port(s)
I generally break down what I want to do in to simple blocks. You have a couple of things you want to do so let's see if we can break this down in to managable pieces....
Make sure connection tracking is ON in your MT - you'll need that.
Generally there are three 'service' categories; 1) TCP 2) UDP 3) Other
I normally mark all traffic like this;
chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-service
chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-service
chain=prerouting connection-state=new action=jump jump-target=other
This sends all new connections to the above tables for 'sorting' and marking. In those tables you can mark the different types of traffic, http, SMTP, etc. Once you have those marked then you can apply your routing marks. And as a bonus, you can mark everything not wanted with a 'special' mark and use the Firewall filter to drop those connections.
After above rules you can also add connection-state-established and connection-state-related rules just like the ones above and use the same tcp-service and udp-service tables below.
In your case it looks like you are most interested in 'guiding' new connections from your clients out particular gateways depending on what service they are trying to use - mail, http, ftp, 'rapidshare', etc... So - what you'll most likely need to do is add the 'in-interface' to the above rule set so you are ONLY marking / sorting client side requests.
Here are a couple of my tcp-service rules;
chain=tcp-service protocol=tcp src-port=1024-65535 dst-port=25 action=mark-connection new-connection-mark=smtp passthrough=no
chain=tcp-service protocol=tcp src-port=1024-65535 dst-port=110 action=mark-connection new-connection-mark=pop3 passthrough=no
So now we have a couple of connections marked with specific connection marks. In the above rules you can also add the dst-addr-list or srd-addr-list parameter or the dst-addr parameter as I noticed you had some specific mail servers in mind above in your post and 'adjust' your packet mark accordingly.
Now with the connections marked, and 'bad' connections dropped (that's what I use the 'other' table for.... in 'other', I mark all the misc services I want to allow, then give everything else a 'special' mark that I use in the filter chain to drop those with the 'special' connection mark).
My connections, new, established and related, all have the connection marks I want, so we use those connection marks and now mark the connections with a specific routing mark. A new table is required - I just call mine 'routing'. In there I use the connection marks to set the routing mark for the connection.
Speaking of routing, you'll have to add rules to your routing table - in Winbox it's IP / route, once there go to the rules tab. Here you can use src, and /or dst addresses and / or routing marks to tell the router to 'lookup' a particular routing table. Since in my example we did all the marking it is a simple matter of using the routing mark to force the router to lookup up a particular routing table and route the connection out that 'port'.
Now you also realize that you can't control what comes from the Internet to your router in so much as if there is an FTP request on etherX to IP address xx.xx.xx.xx You can stop that from going anywhere but it will still come to the router. What you can control is what your users (coming in through your 'local' interface) can do and how to route their requests to the Internet. Which is what it looks like you are doing....
I did not re-write your rules above but I hope the advice I have given you allows you to assemble a set of rules that does what you are trying to accomplish. If you can get started in that direction I would be more than happy to help you 'flush' out your rule set.
Thom
Re: Connection mark in custom chain
Posted: Fri Nov 30, 2007 9:14 pm
by cpresto
Thank you galaxynet (Thom),
regarding ftp, I'm using it as an "instrument" and I'm not referring to my ftp but to others (e.g. ftp.microsoft.com). When ftp client is configured in passive mode, ftp server listen on default port (21), establishes a random port (> 1024) to exchange data and communicates this to the client.
In my actual configuration ftp clients doesn't work in passive mode except if I insert the mangle rule
;;; ##### Mark FTP as known
chain=prerouting action=jump jump-target=known connection-type=ftp
This tells me that new connections in "known" chain are not correctly mangled.
Regarding your method: mangle TCP, UDP and Other, I'll try it in next days and compare it with actual "philosophy". Probably this will let me understand my actual errors so I can decide to correct them or simply follow your way of work.
MT ROS is a great OS but, in my opinion, user manual is not detailed enough.
Thank you for support,
Rgds
Re: Connection mark in custom chain
Posted: Sat Dec 01, 2007 12:36 am
by galaxynet
cpresto -
Well I am glad that you found some use in my reply. As I stated it is clearly up to you on how you want to apply the rules to get the desired results (philosophy). There are a number of ways to do it. I picked the one I like the most, I have done somethings similiar to what you are trying to do with a couple of different methods. In the end I settled on the method I showed you. It seemed to be the simpliest way to 'walk' a connection from start to finish - made it easy to troubleshoot and modify if/when necessary.
Take your time and think about what your goal is with each 'rule' you want to use. Such as routing a particular mail server request (smtp or pop) out a particular ethernet port - that is a goal. Get your goals all together. The start writing your rules. Try to break them down to manageable chunks. This will make it much easier to implement / troubleshoot / modify at a later date - use the comment field (a lot) to document what you did (and why).
With MT ROS related and established connections are tracked if you care to use that to help you write your rules.
Lastly - you hit it right on the mark about the documentation - it docuements every feature MT ROS has - it does not however, do much as a 'teaching' aide.... :)
Thom
Re: Connection mark in custom chain
Posted: Sun Dec 02, 2007 10:30 pm
by cpresto
Thank you Thom,
your method is very similar to what is described on Wiki
http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling, so I suppose that it is widley used (and tested
. I'll try to apply it on the same router that is using my "known/unknown" method in order to fully compare them
Rgds,
Carlo
http://www.adiesselle.it