On Tue, 28 Nov 2000, Rusty Russell wrote: > In message <Pine.OSF.4.10.10011262257160.5186-100000@smaragdi.hut.fi> you write > : > > Anyone know how to properly filter packet floods using iptables w/ nat? > > You're doing fine, except the connection tracking code marks the `no > flags' TCP packets as invalid, and the NAT code drops them. Hmm... drops them when? and does that mean I'd actually need to use the DROPPED table to -j LOG ... them? Now as I see it the packets traverse the tables something like this: rp_filter # conflicts w/ fwmark? ip_conntrack mangle routing ? nat # existing connections "skip" the rules here as they've already filter # passed them... ... and any of those steps may drop packets, right? any steps missed? > Note that filtering packet floods makes no sense unless your bandwidth > behind the box is < the bandwidth in front. Well packet floods tend to flood the connection tracking tables too. If I want to avoid "crap" from flooding the connection tracking tables, is there any real difference between using PREROUTING from nat/mangle? - a) when we wouldn't need the mangle table otherwise, - b) when mangle table is used to route things like port 80 elsewhere? - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
