Grant Taylor wrote:
On 01/17/07 16:17, Jorge Davila wrote:
Why filter in the mangle table? Internet is wild land. There are many
circunstances: an web browser generating anormal traffic because some
security hole in the web browser has been sucessfully exploited. A
host taken or contamined by a virus. In that circunstances, the
tcp/ip traffice generated can have "illegal" headers or the traffice
can be an attack to some other device in our networks or to a device
in remote network.
You should really do your filtering in the filter table. If you are
worried about a compromised host sending malicious / malformed traffic
out, you should filter in the filter table OUTPUT chain. For
forwarded traffic, use the filter table FORWARD chain.
As we know, not all packets traverse the nat table thus we can not
reliably filter any and all packets there.
Likewise, the mangle table is used for special purposes in the Linux
kernel, namely to mangle or alter a packet in some way, say change the
ToS / DifServ fields.
There is also the fact that a kernel may not even have the mangle
table loaded in to the kernel.
You may know that you have filtered traffic in the mangle table, but
what about the guy / gal that replaces you when you are hit by a
Greyhound Buss? Will they know that you were / are filtering in the
mangle table?
I think that some of the filtering match extensions will only work in
the filter table, thus you could not use them in the mangle table.
Inspecting the packets headers in the mangle table and dropping the
anormal traffic must be another mechanic for the "sanity" of the
protected networks.
What can you do in mangle that you can not do in filter as far as
filtering traffic goes?
I hope that my few paragraphs gives you some help to understand why
filter in the mangle table. Of course, you must decide in what chain
inside the mangle put your rules to protect your networks.
There are ways that work and then there are the proper ways to do
things. I can format an entire raw disk drive. However, if any one
else works on the system and sees that there is not a partition table
they may assume that it is ok to use the disk. Or, I could make a MD
device out of an entire disk, but the Linux kernel would not know that
the disk is a RAID AutoDetect drive b/c there is no partition table
there to tell it such.
Some times there are reasons to do non standard things for very
special reasons, usually very stringent performance reasons. If you
are wanting to filter in the mangle table to prevent the connection
tracking system from seeing traffic (if even that will do so), you
should consider the raw table, which is used specifically to tell the
kernel not to track specific packets. Oh, by the way, the raw table
only has PREROUTING and OUTPUT chains.
Grant. . . .
This works in an ideal world. But we are in internet, linux routers has
to deal with many compromised clients that send all sort of traffic,
including DDOS and so on. Filtering in mangle PREROUTING is the best.
Otherwise, the bulk traffic will traverse several other chains and the
routing table, wich consumes a lot of CPU, and many times your linux
router will just get a bigger load instead of crashing (yea, compromised
hosts behind you can make your machine crash, every time). If you use
conntrack, it is even best to do the filtering in raw table in
PREROUTING, this way your conntrack table is saved from being filled.
