In message <Pine.OSF.4.10.10011291413570.17011-100000@safiiri.hut.fi> you write : > On Tue, 28 Nov 2000, Rusty Russell wrote: > > > In message <Pine.OSF.4.10.10011262257160.5186-100000@smaragdi.hut.fi> you w rite > > : > > > Anyone know how to properly filter packet floods using iptables w/ nat? > > > > You're doing fine, except the connection tracking code marks the `no > > flags' TCP packets as invalid, and the NAT code drops them. > > Hmm... drops them when? and does that mean I'd actually need to use the > DROPPED table to -j LOG ... them? Connection tracking fails to track them, then the NAT code drops them before traversing the NAT table. You could drop them in mangle, but there's little point. > rp_filter # conflicts w/ fwmark? > ip_conntrack > mangle > routing > ? nat # existing connections "skip" the rules here as they've already > filter # passed them... > > ... and any of those steps may drop packets, right? any steps missed? NAT occurs before routing, and rp_filter is part of routing. > > Note that filtering packet floods makes no sense unless your bandwidth > > behind the box is < the bandwidth in front. > > Well packet floods tend to flood the connection tracking tables too. Sure, it'll start discarding things, but that's OK, as long as it discards the right ones. Are you having trouble getting real connections in/out? > If I want to avoid "crap" from flooding the connection tracking tables, > is there any real difference between using PREROUTING from nat/mangle? > - a) when we wouldn't need the mangle table otherwise, > - b) when mangle table is used to route things like port 80 elsewhere? mangle is used to alter TOS and fwmark at the moment. Rusty. -- Hacking time. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
