SECMARK target

The SECMARK target is used to set a security context mark on a single packet, as defined by SELinux and security systems. This is still somewhat in it's infancy in Linux, but should pick up more and more in the future. Since SELinux is out of the scope of this document, I suggest going to the Security-Enhanced Linux webpage for more information.

In brief, SELinux is a new and improved security system to add Mandatory Access Control (MAC) to Linux, implemented by NSA as a proof of concept. SELinux basically sets security attributes for different objects and then matches them into security contexts. The SECMARK target is used to set a security context on a packet which can then be used within the security subsystems to match on.


The SECMARK target is only valid in the mangle table.

Table 11-16. SECMARK target options

Exampleiptables -t mangle -A PREROUTING -p tcp --dport 80 -j SECMARK --selctx httpcontext
ExplanationThe --selctx option is used to specify which security context to set on a packet. The context can then be used for matching inside the security systems of linux.