why DROP in PREROUTING

why DROP in PREROUTING

[Brent Clark]

Hi all

Would please help me understand as to why you would do some dropping in the PREROUTING as opposed to the filter of INPUT or FORWARD (e.g.)

Ive been browsing a few sites and I see sites like iptablesrocks.org etc all have rules like so

A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

Just something I was thinking.

Kind Regards
Brent Clark

Re: why DROP in PREROUTING

[Gáspár Lajos]

Brent Clark írta:
> Hi all
>
> Would please help me understand as to why you would do some dropping 
> in the PREROUTING as opposed to the filter of INPUT or FORWARD (e.g.)
>
It is not really nice, BUT...

the reason is:

You can filter all of these packets at one point no matter where they 
coming from and going to....

> Ive been browsing a few sites and I see sites like iptablesrocks.org 
> etc all have rules like so
>
> A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
> FIN,PSH,URG -j DROP
...
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
>
> Just something I was thinking.
>
> Kind Regards
> Brent Clark
>
>
Swifty

Re: why DROP in PREROUTING

[Jakov Sosic]

On Fri, 27 Oct 2006 11:59:58 +0200
Gáspár Lajos <swifty@freemail.hu> wrote:

> You can filter all of these packets at one point no matter where they 
> coming from and going to....

Oscar is against it in his tutorial, he even says a reason. If I
remember correctly, it's beacuse only the first packet hits that rule,
and others get the same action without further checking, and that's not
a good idea to do.



-- 
|   Jakov Sosic   |   ICQ: 28410271   |   PGP: 0x244F89CA   |
| http://jsosic.homeunix.org  |  jsosic@jsosic.homeunix.org |
--