REJECT target

REJECT target

[Peteris Krumins]

Hello netfilter,

 Holy christ, i relied i could REJECT packets in any table, but
 unfortunately after launching the program i was working on i got
 ugly 'iptables: Invalid argument' after executing
 `iptables -A PREROUTING -t mangle .. -j REJECT`

 why cant i put -j REJECT in the PREROUTING chain of mangle table?

 Manual says it makes no sense, but it makes sense for me.
 
 I mark certain packets (-j MARK) in the mangle table, and those
 which are not marked should be REJECTed.
 The only way, i think, i can solve it is using FORWARD and INPUT
 chains of the filter table. Match any not marked packets in these
 chains and REJECT from there. But this adds some extra time (packet
 has to traverse other chain) and i have to duplicate the rules
 (because of putting on both INPUT and FORWARD).

 Is there a patch or smth to this problem, or it cant be done (REJECT
 in mangle)?

 
P.Krumins

REJECT target

[DarKRaveR]

Hello netfilter-devel list,

  I know this is not really a developers question, but maybe the
  developers are the right people at hand, to explain this.
  From what I read, the REJECT target is only valid in
  INPUT/OUPUT/FORWARD. Is there any particular reason why ? I read in
  one of the tutorials, that you wouldn't need it at any other place,
  but I think this is not perfectly true.

-- 
Best regards,
 DarKRaveR                          mailto:DarKRaveR@habitat-b.de

Re: REJECT target

[Jozsef Kadlecsik]

On Wed, 25 Jun 2003, DarKRaveR wrote:

>   I know this is not really a developers question, but maybe the
>   developers are the right people at hand, to explain this.
>   From what I read, the REJECT target is only valid in
>   INPUT/OUPUT/FORWARD. Is there any particular reason why ? I read in
>   one of the tutorials, that you wouldn't need it at any other place,
>   but I think this is not perfectly true.

The REJECT target is for filtering. The filter table has got the
INPUT/OUPUT/FORWARD chains, therfore the REJECT target can be used in
those chains (and sub-chains, naturally).

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re[2]: REJECT target

[DarKRaveR]

Hello Jozsef,

I understood that, the question is why ? I got a scenarion, where I
would need it in the PREROUTING chain of the nat table, instead of
just dropping the packets ... Is there any reason, why it is only
available in the filter table. I mean, it's for filtering okay, but
maybe I want to reject connections properly at other places (like nat
table, prerouting) instead of plain stupid
dropping them and waiting at the client software to time out.

Wednesday, June 25, 2003, 9:17:56 AM, you wrote:

JK> On Wed, 25 Jun 2003, DarKRaveR wrote:

>>   I know this is not really a developers question, but maybe the
>>   developers are the right people at hand, to explain this.
>>   From what I read, the REJECT target is only valid in
>>   INPUT/OUPUT/FORWARD. Is there any particular reason why ? I read in
>>   one of the tutorials, that you wouldn't need it at any other place,
>>   but I think this is not perfectly true.

JK> The REJECT target is for filtering. The filter table has got the
JK> INPUT/OUPUT/FORWARD chains, therfore the REJECT target can be used in
JK> those chains (and sub-chains, naturally).

JK> Best regards,
JK> Jozsef
JK> -
JK> E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
JK> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
JK> Address : KFKI Research Institute for Particle and Nuclear Physics
JK>           H-1525 Budapest 114, POB. 49, Hungary




-- 
Best regards,
 DarKRaveR                            mailto:DarKRaveR@habitat-b.de

Re[2]: REJECT target

[Jozsef Kadlecsik]

Hi,

On Wed, 25 Jun 2003, DarKRaveR wrote:

> I understood that, the question is why ? I got a scenarion, where I
> would need it in the PREROUTING chain of the nat table, instead of
> just dropping the packets ... Is there any reason, why it is only
> available in the filter table. I mean, it's for filtering okay, but
> maybe I want to reject connections properly at other places (like nat
> table, prerouting) instead of plain stupid
> dropping them and waiting at the client software to time out.

Thy users of netfilter do not filter packets in the nat or mangle tables.

[Check out the mailing list archive and the documentation if you do not
know why. We discussed it countless times.]

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re[2]: REJECT target

[Maciej Soltysiak]

> > I understood that, the question is why ? I got a scenarion, where I
> > would need it in the PREROUTING chain of the nat table, instead of
> > just dropping the packets ... Is there any reason, why it is only
> > available in the filter table. I mean, it's for filtering okay, but
> > maybe I want to reject connections properly at other places (like nat
> > table, prerouting) instead of plain stupid
> > dropping them and waiting at the client software to time out.
>
> Thy users of netfilter do not filter packets in the nat or mangle tables.
>
> [Check out the mailing list archive and the documentation if you do not
> know why. We discussed it countless times.]
Shouldn't it be in the FAQ then ?

Regards,
Maciej

Re[2]: REJECT target

[Jozsef Kadlecsik]

On Thu, 26 Jun 2003, Maciej Soltysiak wrote:

> > [Check out the mailing list archive and the documentation if you do not
> > know why. We discussed it countless times.]
> Shouldn't it be in the FAQ then ?

Yes, definitely. The docs should be refreshed anyway.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re[3]: REJECT target

[DarKRaveR]

Hello Jozsef, list,

Okay, admitted. I would be glad to do that in the filtering table, the
question is: How can I identify those packets, when the were modified
in the nat table ?

Assuming I have a subnet and a cluster of ip addresses, which get
redirected in the PREROUTING chain. since the destination address is
getting changed, how can I now reject some of those packets, when they
are meant for certain hosts/networks. So, what I want to do, redirect
packets, but those send to certain destination, or which were meant
for certain destinations should be rejected. I don't want them to just
be dropped (without further notice).

In the current design I can't see any way, to do such a thing, that's
why I wanted to reject them in nat(PREROUTING).

Any thoughts on that ?

Sorry for bothering again ...

-Sven

Thursday, June 26, 2003, 8:40:22 AM, you wrote:

JK> Hi,

JK> On Wed, 25 Jun 2003, DarKRaveR wrote:

>> I understood that, the question is why ? I got a scenarion, where I
>> would need it in the PREROUTING chain of the nat table, instead of
>> just dropping the packets ... Is there any reason, why it is only
>> available in the filter table. I mean, it's for filtering okay, but
>> maybe I want to reject connections properly at other places (like nat
>> table, prerouting) instead of plain stupid
>> dropping them and waiting at the client software to time out.

JK> Thy users of netfilter do not filter packets in the nat or mangle tables.

JK> [Check out the mailing list archive and the documentation if you do not
JK> know why. We discussed it countless times.]

JK> Best regards,
JK> Jozsef
JK> -
JK> E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
JK> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
JK> Address : KFKI Research Institute for Particle and Nuclear Physics
JK>           H-1525 Budapest 114, POB. 49, Hungary




-- 
Best regards,
 DarKRaveR                            mailto:DarKRaveR@habitat-b.de

Re: REJECT target

[Patrick Schaaf]

> Okay, admitted. I would be glad to do that in the filtering table, the
> question is: How can I identify those packets, when the were modified
> in the nat table ?

One approach that I used in some places, and which could be workable
for your scenario, is to use the MARK target at mangle/PREROUTING,
and then use the mark match both in the NAT decision, and in the
filter table. The firewall mark stays with the packet, regardless
of application of a NAT action.

The CONNMARK stuff may be even more useful / cover more cases.

best regards
  Patrick

Re: REJECT target

[Patrick McHardy]

Have a look at the conntracl match from pom. This is probably what you want.

Bye,
Patrick

DarKRaveR wrote:

>Hello Jozsef, list,
>
>Okay, admitted. I would be glad to do that in the filtering table, the
>question is: How can I identify those packets, when the were modified
>in the nat table ?
>
>Assuming I have a subnet and a cluster of ip addresses, which get
>redirected in the PREROUTING chain. since the destination address is
>getting changed, how can I now reject some of those packets, when they
>are meant for certain hosts/networks. So, what I want to do, redirect
>packets, but those send to certain destination, or which were meant
>for certain destinations should be rejected. I don't want them to just
>be dropped (without further notice).
>
>In the current design I can't see any way, to do such a thing, that's
>why I wanted to reject them in nat(PREROUTING).
>
>Any thoughts on that ?
>
>Sorry for bothering again ...
>
>-Sven
>
>  
>