How to catch conntrack markers correctly?

Question

Server with DHCP (iface eth0 172.5.1.1/24) gives internet via openvpn tunnel(iface tun0 10.8.1.6) to lan clients. I need to mark tcp connections from exact lan client, for example 172.5.1.123

iptables -I FORWARD -m conntrack --ctorigsrc 172.5.1.123 --ctproto tcp -j CONNMARK --set-mark 123

While executing on server 172.5.1.1 command conntrack -L --mark 123 i can see all tcp connections from source 172.5.1.123

The question is how to catch connection markers from source ip 172.5.1.123 on vpn server's tunnel interface 10.8.1.1 ?

score 0 · Answer 1 · answered May 27 '19 at 21:45

0

Use iptables mark to match it.

iptables -I FORWARD -m conntrack --ctorigsrc 172.5.1.123 --ctproto tcp -j MARK --set-mark 123

iptables -A PREROUTING -t mangle -m mark --mark 123 -j LOG

answered May 27 '19 at 21:45

felartu

1

How to catch conntrack markers correctly?

1 Answers1

Linked