Differentiating port-forwarding in iptables rules
Paul D
newtwen at gmail.com
Tue Nov 19 08:29:19 PST 2024
On 2024-11-19 16:47, Philip Prindeville wrote:
> Would it make sense to turn on a mark as the 2nd line of zone_wan_prerouting and then clear it just before we fall out the bottom?
>
>
context?
I run nftables anyway, but if what you say makes sense and fixes some edge cases, I don't see why not.
>
>> On Nov 10, 2024, at 2:53 PM, Paul D <newtwen at gmail.com> wrote:
>>
>> Shooting from the hip a bit here, but how about a fwmark?
>>
>>
>> # set mark for remapped traffic
>> iptables -t mangle -A PREROUTING -p tcp --dport 23 -m conntrack --ctstate DNAT -j MARK --set-mark <mark>
>>
>> # apply tarpit if not remapped
>> iptables -A INPUT -p tcp --dport 23 -m mark ! --mark <mark> -j TARPIT
>>
>>
>>
>> On 2024-11-10 21:49, Philip Prindeville wrote:
>>> Hi,
>>>
>>> I’m still using firewall3 (yeah, yeah, I know).
>>>
>>> I remap certain ports, and I TARPIT them on the well-known service port, but that’s also catching the remapped destination port.
>>>
>>> For instance, let’s say I run Telnet (I don’t, but we’ll use it as an example) from 2300 to 23. I want to TARPIT traffic arriving (unmapped) on 23, but traffic remapped from 2300 to 23 I don’t want to TARPIT.
>>>
>>> How do I differentiate these in the rules? I thought the MARK might give a hint but it doesn’t.
>>>
>>> Is there another attribute I can use?
>>>
>>> Thanks,
>>>
>>> -Philip
>>>
>>>
>
>
More information about the openwrt-devel
mailing list