1Linux iptables includes that ability to mark individual network packets 2with a "firewall mark". Additionally there is a component called 3"conntrack" which tries to string sequences of related packets together 4into a "connection" (it even relates sequences of UDP and ICMP packets). 5 There is a related mark for a connection called a "connection mark". 6Marks can be copied freely between the firewall and connection marks 7 8Using these two features it become possible to tag all related traffic 9in arbitrary ways, eg authenticated users, traffic from a particular IP, 10port, etc. Unfortunately any kind of "proxy" breaks this relationship 11because network packets go in one side of the proxy and a completely new 12connection comes out of the other side. However, sometimes, we want to 13maintain that relationship through the proxy and continue the connection 14mark on packets upstream of our proxy 15 16DNSMasq includes such a feature enabled by the --conntrack 17option. This allows, for example, using iptables to mark traffic from 18a particular IP, and that mark to be persisted to requests made *by* 19DNSMasq. Such a feature could be useful for bandwidth accounting, 20captive portals and the like. Note a similar feature has been 21implemented in Squid 2.2 22 23 24As an example consider the following iptables rules: 25 26 271) iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark 282) iptables -t mangle -A PREROUTING -m mark --mark 0 -s 192.168.111.137 29-j MARK --set-mark 137 303) iptables -t mangle -A PREROUTING -j CONNMARK --save-mark 31 324) iptables -t mangle -A OUTPUT -m mark ! --mark 0 -j CONNMARK --save-mark 33 341-3) are all applied to the PREROUTING table and affect all packets 35entering the firewall. 36 371) copies any existing connection mark into the firewall mark. 2) Checks 38the packet not already marked and if not applies an arbitrary mark based 39on IP address. 3) Saves the firewall mark back to the connection mark 40(which will persist it across related packets) 41 424) is applied to the OUTPUT table, which is where we first see packets 43generated locally. DNSMasq will have already copied the firewall mark 44from the request, across to the new packet, and so all that remains is 45for iptables to copy it to the connection mark so it's persisted across 46packets. 47 48Note: iptables can be quite confusing to the beginner. The following 49diagram is extremely helpful in understanding the flows 50 http://linux-ip.net/nf/nfk-traversal.png 51Additionally the following URL contains a useful "starting guide" on 52linux connection tracking/marking 53 http://home.regit.org/netfilter-en/netfilter-connmark/ 54 55