Re: Filtering in PREROUTING --- Some random thoughts / points...

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: Filtering in PREROUTING --- Some random thoughts / points...
Date: Thu, 18 Jan 2007 08:57:59 -0600	[thread overview]
Message-ID: <45AF8AF7.5070207@riverviewtech.net> (raw)
In-Reply-To: <1169069905.10134.18.camel@len.t-t-l.co.uk>

george wrote:
> I've seen a few places telling me that you shouldn't filter in the
> mangle table.  However, it seems sensible to me to drop junk packets in
> PREROUTING rather than have to duplicate those rules in both INPUT and
> FORWARD.

(Just some random thoughts / points for this discussion thread.)

  - If you put most (all) of your rules (that you can) in the 
mangle:PREROUTING chain, you will need to optimize the order of the 
rules to make sure your traffic passes through as few rules as possible.

  - In the mangle:PREROUTING chain, you can not use the -o flag to 
specify the output interface for forwarded traffic.  This means that any 
traffic that is not forwarded will still have to pass through the rules 
just for forwarded traffic.  Sure, you can add other options to the rule 
that will help decide what traffic needs to be parsed by the rule(s). 
If you use the other (what I'll call) more appropriate tables / chains 
to filter in you will have some inherent separation of which traffic 
will enter a given table / chain.

  - Locally generated packets do not traverse the mangle:PREROUTING 
chain, thus can not be filtered there.

  - You can generate a sub chain (with in a table) that can be called 
from multiple other chains.  I.e. create a small chain that filters for 
NetBEUI traffic and jump to it from filter:INPUT / filter:FORWARD / 
filter:OUTPUT.  I.e.

iptables -N Drop_NetBEUI
iptables -A Drop_NetBEUI -p tcp --sport 137 -j DROP
iptables -A Drop_NetBEUI -p udp --sport 137 -j DROP
iptables -A Drop_NetBEUI -p tcp --sport 138 -j DROP
iptables -A Drop_NetBEUI -p udp --sport 138 -j DROP
iptables -A Drop_NetBEUI -p tcp --sport 139 -j DROP
iptables -A Drop_NetBEUI -p udp --sport 139 -j DROP
iptables -A Drop_NetBEUI -p tcp --sport 445 -j DROP
iptables -A Drop_NetBEUI -p udp --sport 445 -j DROP
iptables -A Drop_NetBEUI -p tcp --dport 137 -j DROP
iptables -A Drop_NetBEUI -p udp --dport 137 -j DROP
iptables -A Drop_NetBEUI -p tcp --dport 138 -j DROP
iptables -A Drop_NetBEUI -p udp --dport 138 -j DROP
iptables -A Drop_NetBEUI -p tcp --dport 139 -j DROP
iptables -A Drop_NetBEUI -p udp --dport 139 -j DROP
iptables -A Drop_NetBEUI -p tcp --dport 445 -j DROP
iptables -A Drop_NetBEUI -p udp --dport 445 -j DROP
iptables -A Drop_NetBEUI -j RETURN

Then just jump to the chain from any where with in the filter table that 
you want to.  I.e.

iptables -A INPUT -j Drop_NetBEUI
iptables -A FORWARD -j Drop_NetBEUI
iptables -A OUTPUT -j Drop_NetBEUI



Grant. . . .

next prev parent reply	other threads:[~2007-01-18 14:57 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-01-17 21:38 Filtering in PREROUTING george
2007-01-17 22:17 ` Jorge Davila
2007-01-18  2:01   ` Grant Taylor
2007-01-18  8:42     ` Alexandru Dragoi
2007-01-19 17:34       ` R. DuFresne
2007-01-18  8:46     ` george
2007-01-19 17:25     ` R. DuFresne
2007-01-18  4:44 ` p0f patch Tim Heagarty
2007-01-19 19:23   ` Tim Heagarty
2007-01-20  2:23     ` Michael Rash
2007-01-18 10:52 ` Filtering in PREROUTING Georgi Alexandrov
2007-01-19 10:19   ` george
2007-01-19 11:32     ` Pascal Hambourg
2007-01-18 14:25 ` Grant Taylor
2007-01-19 13:17   ` george
2007-01-18 14:57 ` Grant Taylor [this message]
2007-01-19 17:54   ` Filtering in PREROUTING --- Some random thoughts / points R. DuFresne
2007-01-18 19:19 ` Filtering in PREROUTING Pascal Hambourg
2007-01-19 13:17   ` george
2007-01-19 15:51     ` Grant Taylor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45AF8AF7.5070207@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=gtaylor+reply@riverviewtech.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.