Re: Filtering in PREROUTING --- Some random thoughts / points...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

george wrote:

I've seen a few places telling me that you shouldn't filter in the
mangle table.  However, it seems sensible to me to drop junk packets in
PREROUTING rather than have to duplicate those rules in both INPUT and
FORWARD.


(Just some random thoughts / points for this discussion thread.)
- If you put most (all) of your rules (that you can) in the mangle:PREROUTING chain, you will need to optimize the order of the rules to make sure your traffic passes through as few rules as possible.
- In the mangle:PREROUTING chain, you can not use the -o flag to specify the output interface for forwarded traffic. This means that any traffic that is not forwarded will still have to pass through the rules just for forwarded traffic. Sure, you can add other options to the rule that will help decide what traffic needs to be parsed by the rule(s). If you use the other (what I'll call) more appropriate tables / chains to filter in you will have some inherent separation of which traffic will enter a given table / chain.
- Locally generated packets do not traverse the mangle:PREROUTING chain, thus can not be filtered there.
- You can generate a sub chain (with in a table) that can be called from multiple other chains. I.e. create a small chain that filters for NetBEUI traffic and jump to it from filter:INPUT / filter:FORWARD / filter:OUTPUT. I.e. 

iptables -N Drop_NetBEUI
iptables -A Drop_NetBEUI -p tcp --sport 137 -j DROP
iptables -A Drop_NetBEUI -p udp --sport 137 -j DROP
iptables -A Drop_NetBEUI -p tcp --sport 138 -j DROP
iptables -A Drop_NetBEUI -p udp --sport 138 -j DROP
iptables -A Drop_NetBEUI -p tcp --sport 139 -j DROP
iptables -A Drop_NetBEUI -p udp --sport 139 -j DROP
iptables -A Drop_NetBEUI -p tcp --sport 445 -j DROP
iptables -A Drop_NetBEUI -p udp --sport 445 -j DROP
iptables -A Drop_NetBEUI -p tcp --dport 137 -j DROP
iptables -A Drop_NetBEUI -p udp --dport 137 -j DROP
iptables -A Drop_NetBEUI -p tcp --dport 138 -j DROP
iptables -A Drop_NetBEUI -p udp --dport 138 -j DROP
iptables -A Drop_NetBEUI -p tcp --dport 139 -j DROP
iptables -A Drop_NetBEUI -p udp --dport 139 -j DROP
iptables -A Drop_NetBEUI -p tcp --dport 445 -j DROP
iptables -A Drop_NetBEUI -p udp --dport 445 -j DROP
iptables -A Drop_NetBEUI -j RETURN
Then just jump to the chain from any where with in the filter table that you want to. I.e. 

iptables -A INPUT -j Drop_NetBEUI
iptables -A FORWARD -j Drop_NetBEUI
iptables -A OUTPUT -j Drop_NetBEUI



Grant. . . .
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux