There is too few details about what you are exactly trying to do ( and what users are allowed to do in the GUI ), but from my standpoint it seems like you would want to make a logic choice as the where you decide where packets should go . IF it was me I think I would use the MARK to decide what should happen on basic levels , and most likely it would be something like this : MARK "1" is traffic for PROXY MARK "2" is "USER CHOSEN RULES" MARK "4" is some sort of exceptions , that needs special care ... All other packets ( MARK 0 ) I would just DROP Sorry for no specific examples , but that would require some more details ... As for a general rule , I would most likely redirect the following: TCP port 21 , 80 and 443 to a squid proxy ( or other WEB/FTP proxy ) TCP and UDP 53 to a DNS server UDP 123 to a NTP server As for the exceptions , that is for instance DHCP packets or ICMP packets required to allow normal flows and setup for the users . And any destination you would always block , like MGMT systems or your GW/FW interfaces . may also be you would like to block tunneling protocols - like IKE , TEREDO or SSH and some ICMP types that can redirect or mess with systems . Best regards André Paulsberg-Csibi Senior Network Engineer Fault Handling EVRY Nordic Operations AS andre.paulsberg-csibi@xxxxxxxx M +47 9070 5988 -----Original Message----- From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Steve Hill Sent: 14. juli 2015 16:20 To: netfilter@xxxxxxxxxxxxxxx Subject: Mangling and blocking I'm writing some fairly complex firewall rules, which will be controllable through a GUI. The basic requirement is: 1. The user can select whether or not to allow some traffic. 2. Traffic the user has opted to disallow, will be directed at a transparent proxy, if there is a suitable proxy, otherwise it will be dropped. This is done by setting a MARK on the traffic and applying special routing to it. I can obviously construct rules to make a decision about allowing/blocking traffic and apply them to the FORWARD chain in the filter table. However, the rules to make a decision about what gets sent to the transparent proxy are almost identical to the filtering rules, but iptables only lets you MARK in the mangle table - this means I need to duplicate all the filter rules into the mangle table, which seems like a very inefficient way of doing things when there are a large number of rules. Doing any kind of filtering in the mangle table seems to be strongly discouraged, so I'm looking for some advice on the best way to approach this. What are the problems associated with either filtering in the mangle table's PREROUTING chain, or at least just having mangle rules to MARK packets that are to be allowed and then rules in the filter table that allow/drop based on that MARK? From looking at https://upload.wikimedia.org/wikipedia/commons/thumb/3/37/Netfilter-packet-flow.svg/2000px-Netfilter-packet-flow.svg.png it looks like: - mangle:PREROUTING will carry both INPUT and FORWARD traffic, so care would need to be taken to ensure the rules are acting on the right traffic. - mangle:PREROUTING rules won't be able to use -o, whereas filter:FORWARD could. - mangle:PREROUTING will happen before any NAT, so some traffic would have the "wrong" addresses on it. Secondly, am I right in thinking that a MARK that affects routing needs to be set in mangle:PREROUTING - i.e. by the time mangle:FORWARD is traversed, its too late? Thanks. -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:steve@xxxxxxxxxxxx Email: steve@xxxxxxxxxxxx Phone: sip:steve@xxxxxxxxxxxx Sales / enquiries contacts: Email: sales@xxxxxxxxxxxx Phone: +44-1792-824568 / sip:sales@xxxxxxxxxxxx Support contacts: Email: support@xxxxxxxxxxxx Phone: +44-1792-825748 / sip:support@xxxxxxxxxxxx ��.n��������+%������w��{.n����z���)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥