RE: Mangling and blocking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

There is too few details about what you are exactly trying to do ( and what users are allowed to do in the GUI ),
but from my standpoint it seems like you would want to make a logic choice as the where you decide where packets should go .
IF it was me I think I would use the MARK to decide what should happen on basic levels , and most likely it would be something like this :

MARK "1" is traffic for PROXY
MARK "2" is "USER CHOSEN RULES"
MARK "4" is some sort of exceptions , that needs special care ...
All other packets ( MARK 0 ) I would just DROP

Sorry for no specific examples , but that would require some more details ...

As for a general rule , I would most likely redirect the following:
TCP port 21 , 80 and 443 to a squid proxy ( or other WEB/FTP proxy )
TCP and UDP 53 to a DNS server 
UDP 123 to a NTP server

As for the exceptions , that is for instance DHCP packets or ICMP packets required to allow normal flows and setup for the users .
And any destination you would always block , like MGMT systems or your GW/FW interfaces .
may also be you would like to block tunneling protocols - like IKE , TEREDO or SSH and some ICMP types that can redirect or mess with systems .


Best regards
André Paulsberg-Csibi
Senior Network Engineer 
Fault Handling
EVRY Nordic Operations AS
andre.paulsberg-csibi@xxxxxxxx
M +47 9070 5988



-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Steve Hill
Sent: 14. juli 2015 16:20
To: netfilter@xxxxxxxxxxxxxxx
Subject: Mangling and blocking


I'm writing some fairly complex firewall rules, which will be 
controllable through a GUI.  The basic requirement is:

1. The user can select whether or not to allow some traffic.
2. Traffic the user has opted to disallow, will be directed at a 
transparent proxy, if there is a suitable proxy, otherwise it will be 
dropped.  This is done by setting a MARK on the traffic and applying 
special routing to it.

I can obviously construct rules to make a decision about 
allowing/blocking traffic and apply them to the FORWARD chain in the 
filter table.  However, the rules to make a decision about what gets 
sent to the transparent proxy are almost identical to the filtering 
rules, but iptables only lets you MARK in the mangle table - this means 
I need to duplicate all the filter rules into the mangle table, which 
seems like a very inefficient way of doing things when there are a large 
number of rules.

Doing any kind of filtering in the mangle table seems to be strongly 
discouraged, so I'm looking for some advice on the best way to approach 
this.  What are the problems associated with either filtering in the 
mangle table's PREROUTING chain, or at least just having mangle rules to 
MARK packets that are to be allowed and then rules in the filter table 
that allow/drop based on that MARK?

 From looking at 
https://upload.wikimedia.org/wikipedia/commons/thumb/3/37/Netfilter-packet-flow.svg/2000px-Netfilter-packet-flow.svg.png 
it looks like:
- mangle:PREROUTING will carry both INPUT and FORWARD traffic, so care 
would need to be taken to ensure the rules are acting on the right traffic.
- mangle:PREROUTING rules won't be able to use -o, whereas 
filter:FORWARD could.
- mangle:PREROUTING will happen before any NAT, so some traffic would 
have the "wrong" addresses on it.


Secondly, am I right in thinking that a MARK that affects routing needs 
to be set in mangle:PREROUTING - i.e. by the time mangle:FORWARD is 
traversed, its too late?


Thanks.

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve@xxxxxxxxxxxx
    Email:            steve@xxxxxxxxxxxx
    Phone:            sip:steve@xxxxxxxxxxxx

Sales / enquiries contacts:
    Email:            sales@xxxxxxxxxxxx
    Phone:            +44-1792-824568 / sip:sales@xxxxxxxxxxxx

Support contacts:
    Email:            support@xxxxxxxxxxxx
    Phone:            +44-1792-825748 / sip:support@xxxxxxxxxxxx
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux