I have a question about SECMARK, a package labeling function in iptables.
I tried to config based on Paul Moore's guide(a very old 14 yrs old blog), but it turns out an error on both ubuntu 18.04 and centOS 7.7:
command: iptables -t mangle -A INPUT -p tcp --src 192.168.0.16 --dport 22 -j SECMARK --selctx system_u:object_r:foo_ssh_packet_t:s0
Ubuntu: No chain/target/match by that name
centOS: invalid argument. Run 'dmesg' for more information
(P.S. I ran dmesg on centOS but get nothing worthwhile)
I also tried to config the "security" table by change "-t mangle" to "-t security", and I got the same output.
iptables -t security -A INPUT -p tcp --src 192.168.0.16 --dport 22 -j SECMARK --selctx system_u:object_r:foo_ssh_packet_t:s0
As there is no one knows the answer and I somehow figured out how to do it by myself, I think I'd better leave something to help other people.
No chain/target/match by that nameSECMARK and SELinux are highly coupled, You must define the SELinux Context first, then you can use it in iptables/nftables rules.
The way to define an SELinux is to create a user-defined SELinux ruleset, aka .te file, then compile and install it on your machine. After that, your iptables/nftables may proceed normally with the command above.
Ubuntu is one of the most popular Linux dist nowadays but noted that Ubuntu DO NOT Pre-install SELinux, and AppArmor did not support SECMARK Until Jan 2019, so if you want to use SECMARK on Ubuntu, uninstalling apparmor and install SELinux is probably worthwhile.
And if you want to use SECMARK between systems, please be advised that you need to install policies on both systems.
SECMARK Support code(did not merge till today)
From the mailing list: [apparmor] Apparmor netfiter support?