From: Jorge Davila <davila@nicaraguaopensource.com>
To: george <gk@t-t-l.co.uk>, netfilter@lists.netfilter.org
Subject: Re: Filtering in PREROUTING
Date: Wed, 17 Jan 2007 16:17:58 -0600 [thread overview]
Message-ID: <web-4020726@bk3.webmaillogin.com> (raw)
In-Reply-To: <1169069905.10134.18.camel@len.t-t-l.co.uk>
George:
I am not an iptables expert but I will try to explain my understanding about
filtering packets in the mangle table.
We knows that all tables have the chains PREROUTING, INPUT, OUTPUT,
POSTROUTING, FORWARD.
We knows too that not all packets traverse all chains because that depends
on "the path" that packet follows, in other words, we must have in mind if
the packet if a packet locally generated (you surfing Internet in the device
that acts as firewall) or if the packet have as final destination the
firewall (supose that the firewall ("the gateway") is acting as a www server
too and is receiving visits from Internet. The other thing is that packet
must be forwarded by the device.
Why filter in the mangle table? Internet is wild land. There are many
circunstances: an web browser generating anormal traffic because some
security hole in the web browser has been sucessfully exploited. A host
taken or contamined by a virus. In that circunstances, the tcp/ip traffice
generated can have "illegal" headers or the traffice can be an attack to
some other device in our networks or to a device in remote network.
Inspecting the packets headers in the mangle table and dropping the anormal
traffic must be another mechanic for the "sanity" of the protected networks.
I hope that my few paragraphs gives you some help to understand why filter
in the mangle table. Of course, you must decide in what chain inside the
mangle put your rules to protect your networks.
Best regards,
Jorge Dávila.
On Wed, 17 Jan 2007 21:38:24 +0000
george <gk@t-t-l.co.uk> wrote:
> I've seen a few places telling me that you shouldn't filter in the
> mangle table. However, it seems sensible to me to drop junk packets in
> PREROUTING rather than have to duplicate those rules in both INPUT and
>FORWARD.
>
> Having done this, I'm seeing packets dropped as invalid when I would
> expect them to be OK (but most traffic is behaving as expected). Before
> I start digging into this I want to check if filtering in the mangle
> table really is stupid.
>
> Can anyone explain this to me, or point me somewhere that will tell me
> please. I haven't found anything other than a simple statement
> anywhere.
>
> Thanks,
> George.
>
>
Jorge Isaac Davila Lopez
Nicaragua Open Source
davila@nicaraguaopensource.com
next prev parent reply other threads:[~2007-01-17 22:17 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-17 21:38 Filtering in PREROUTING george
2007-01-17 22:17 ` Jorge Davila [this message]
2007-01-18 2:01 ` Grant Taylor
2007-01-18 8:42 ` Alexandru Dragoi
2007-01-19 17:34 ` R. DuFresne
2007-01-18 8:46 ` george
2007-01-19 17:25 ` R. DuFresne
2007-01-18 4:44 ` p0f patch Tim Heagarty
2007-01-19 19:23 ` Tim Heagarty
2007-01-20 2:23 ` Michael Rash
2007-01-18 10:52 ` Filtering in PREROUTING Georgi Alexandrov
2007-01-19 10:19 ` george
2007-01-19 11:32 ` Pascal Hambourg
2007-01-18 14:25 ` Grant Taylor
2007-01-19 13:17 ` george
2007-01-18 14:57 ` Filtering in PREROUTING --- Some random thoughts / points Grant Taylor
2007-01-19 17:54 ` R. DuFresne
2007-01-18 19:19 ` Filtering in PREROUTING Pascal Hambourg
2007-01-19 13:17 ` george
2007-01-19 15:51 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=web-4020726@bk3.webmaillogin.com \
--to=davila@nicaraguaopensource.com \
--cc=gk@t-t-l.co.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.