Re: Filtering in PREROUTING

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

George:
I am not an iptables expert but I will try to explain my understanding about filtering packets in the mangle table.
We knows that all tables have the chains PREROUTING, INPUT, OUTPUT, POSTROUTING, FORWARD.
We knows too that not all packets traverse all chains because that depends on "the path" that packet follows, in other words, we must have in mind if the packet if a packet locally generated (you surfing Internet in the device that acts as firewall) or if the packet have as final destination the firewall (supose that the firewall ("the gateway") is acting as a www server too and is receiving visits from Internet. The other thing is that packet must be forwarded by the device.
Why filter in the mangle table? Internet is wild land. There are many circunstances: an web browser generating anormal traffic because some security hole in the web browser has been sucessfully exploited. A host taken or contamined by a virus. In that circunstances, the tcp/ip traffice generated can have "illegal" headers or the traffice can be an attack to some other device in our networks or to a device in remote network.
Inspecting the packets headers in the mangle table and dropping the anormal traffic must be another mechanic for the "sanity" of the protected networks.
I hope that my few paragraphs gives you some help to understand why filter in the mangle table. Of course, you must decide in what chain inside the mangle put your rules to protect your networks. 

Best regards,

Jorge Dávila.


On Wed, 17 Jan 2007 21:38:24 +0000
 george <gk@xxxxxxxxxxx> wrote:

I've seen a few places telling me that you shouldn't filter in the
mangle table.  However, it seems sensible to me to drop junk packets in
PREROUTING rather than have to duplicate those rules in both INPUT and
FORWARD.

Having done this, I'm seeing packets dropped as invalid when I would
expect them to be OK (but most traffic is behaving as expected).  Before
I start digging into this I want to check if filtering in the mangle
table really is stupid.

Can anyone explain this to me, or point me somewhere that will tell me
please.  I haven't found anything other than a simple statement
anywhere.

Thanks,
George.




Jorge Isaac Davila Lopez
Nicaragua Open Source
davila@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux