* why DROP in PREROUTING
@ 2006-10-27 9:45 Brent Clark
2006-10-27 9:59 ` Gáspár Lajos
0 siblings, 1 reply; 3+ messages in thread
From: Brent Clark @ 2006-10-27 9:45 UTC (permalink / raw)
To: netfilter
Hi all
Would please help me understand as to why you would do some dropping in the PREROUTING as opposed to the filter of INPUT or FORWARD (e.g.)
Ive been browsing a few sites and I see sites like iptablesrocks.org etc all have rules like so
A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
Just something I was thinking.
Kind Regards
Brent Clark
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: why DROP in PREROUTING
2006-10-27 9:45 why DROP in PREROUTING Brent Clark
@ 2006-10-27 9:59 ` Gáspár Lajos
2006-10-27 14:52 ` Jakov Sosic
0 siblings, 1 reply; 3+ messages in thread
From: Gáspár Lajos @ 2006-10-27 9:59 UTC (permalink / raw)
To: Brent Clark; +Cc: netfilter
Brent Clark írta:
> Hi all
>
> Would please help me understand as to why you would do some dropping
> in the PREROUTING as opposed to the filter of INPUT or FORWARD (e.g.)
>
It is not really nice, BUT...
the reason is:
You can filter all of these packets at one point no matter where they
coming from and going to....
> Ive been browsing a few sites and I see sites like iptablesrocks.org
> etc all have rules like so
>
> A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
...
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
>
> Just something I was thinking.
>
> Kind Regards
> Brent Clark
>
>
Swifty
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: why DROP in PREROUTING
2006-10-27 9:59 ` Gáspár Lajos
@ 2006-10-27 14:52 ` Jakov Sosic
0 siblings, 0 replies; 3+ messages in thread
From: Jakov Sosic @ 2006-10-27 14:52 UTC (permalink / raw)
To: netfilter
On Fri, 27 Oct 2006 11:59:58 +0200
Gáspár Lajos <swifty@freemail.hu> wrote:
> You can filter all of these packets at one point no matter where they
> coming from and going to....
Oscar is against it in his tutorial, he even says a reason. If I
remember correctly, it's beacuse only the first packet hits that rule,
and others get the same action without further checking, and that's not
a good idea to do.
--
| Jakov Sosic | ICQ: 28410271 | PGP: 0x244F89CA |
| http://jsosic.homeunix.org | jsosic@jsosic.homeunix.org |
--
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-10-27 14:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-27 9:45 why DROP in PREROUTING Brent Clark
2006-10-27 9:59 ` Gáspár Lajos
2006-10-27 14:52 ` Jakov Sosic
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.