The three tables are to be used for different purposes.
The filter table is the ONLY table you should be blocking traffic on. With the standard 3 chains, you should be able to do any type of non-trivial blocking under the sun. If you need different match rules, use ebtables or iptables extensions.
The NAT table is only supposed to manipulate the source and destinations of the traffic coming into and out of the firewall. Blocking input and forward is still 100% coverage of inbound traffic, so blocking NAT just makes an unnecessary rule that system was not designed for.
The Mangle table changes everything else not relating to address redirection or filtering traffic. I have about 100 rules defined, and I don’t have 1 mangle. I think it is more of a specialized table better suited for tricky situations.
In conclusion, yes iptables is good in that you don’t have to hack around with a bunch of different tables/chains to get things to work, but you do need to know which ones to do what you want things to do it in.
-----Original Message-----
Hi, hope my English is ok, i have some questions;
Starting situation: I use red hat 9 Linux as a gateway firewall to route my private LAN via ADSL to the internet; Gateway has 2 network interfaces, one for internal, and one for the connection to the alcatel modem;
I built up my firewall very similar to the firewall in Robert Zieglers book “Linux Firewalls 2 nd edition” All policies for the 3 tables are set to DROP, I allow only special protocols and services; I don’t use a rule for the mangle table and just one rule for the Nat table > masquerade rule for snat;
When I start my firewall script I even can not ping the lo interface but actually I have the rules in the filter table to allow a ping to this interface (this rules stand bevor the policy rules in the my firewallscript) ; When I set only the policies of the Nat and mangle table to ACCEPT and let the filter table policies on DROP, then the firewall works very well(I have internet connection from al pc of the private LAN and I can ping everything) ;
How comes? What has the Mangle and Nat table to do with pinging the local host, I thought the advantage of iptables is the fact, that every packet passes just one chain and only local host packets need to go via 2 chains;
And that is the point, when I put the policies of Nat chains and Mangle chains to DROP nothing is allowed any more > it seems that I lost rules in this chain, but why does packets go to the chains of Mangle and Nat(exception is the postrouting chain of Nat, were masquerade take place)
If anyone knows were the problem is, please let me know.
Thank you
Gerald
|