Книга: Iptables Tutorial 1.2.2
SECMARK target
SECMARK target
The SECMARK target is used to set a security context mark on a single packet, as defined by SELinux and security systems. This is still somewhat in it's infancy in Linux, but should pick up more and more in the future. Since SELinux is out of the scope of this document, I suggest going to the Security-Enhanced Linux webpage for more information.
In brief, SELinux is a new and improved security system to add Mandatory Access Control (MAC) to Linux, implemented by NSA as a proof of concept. SELinux basically sets security attributes for different objects and then matches them into security contexts. The SECMARK target is used to set a security context on a packet which can then be used within the security subsystems to match on.
|
The SECMARK target is only valid in the mangle table. |
Table 11-16. SECMARK target options
| Option | --selctx |
| Example | iptables -t mangle -A PREROUTING -p tcp --dport 80 -j SECMARK --selctx httpcontext |
| Explanation | The --selctx option is used to specify which security context to set on a packet. The context can then be used for matching inside the security systems of linux. |
Оглавление книги
- ACCEPT target
- CLASSIFY target
- CLUSTERIP target
- CONNMARK target
- CONNSECMARK target
- DNAT target
- DROP target
- DSCP target
- ECN target
- LOG target options
- MARK target
- MASQUERADE target
- MIRROR target
- NETMAP target
- NFQUEUE target
- NOTRACK target
- QUEUE target
- REDIRECT target
- REJECT target
- RETURN target
- SAME target
- SECMARK target
- SNAT target
- TCPMSS target
- TOS target
- TTL target
- ULOG target
- What's next?