workaround for no DROP in table nat ?

Linux Netfilter discussions
 help / color / mirror / Atom feed

* workaround for no DROP in table nat ?
@ 2009-06-15 16:59 David Madore
  2009-06-15 17:24 ` Vincent Bernat
  0 siblings, 1 reply; 4+ messages in thread
From: David Madore @ 2009-06-15 16:59 UTC (permalink / raw)
  To: netfilter

Hi list,

Recent versions of iptables have forbidden the use of DROP in the nat
table.  I can't understand, however, how one is supposed to work
around this limitation: is there a howto or some kind of documentation
somewhere which explains how to deal with this change?

Suppose my current rules look something like this:

-t nat -A OUTPUT -p tcp -d somenetwork -m tcp --syn --dport 80 -j CONTROLLED
-t nat -A CONTROLLED -m limit --limit 10/hour -j RETURN
-t nat -A CONTROLLED -p tcp -m statistic --mode random --probability 0.1 -j REDIRECT --to-ports 80
-t nat -A CONTROLLED -j DROP

In other words, the point is that connections which are outbound to
somenetwork should be dropped beyond a certain rate, except for a
small portion of them which should be redirected to a local port for
capturing.

I'm confused about what I should do to achieve the same effect under
the modified rules.  I can't put the whole thing in the filter table
because of the REDIRECT: but now I also can't put the whole thing in
the nat table because of the DROP.  I also fail to see how I can split
the rules across tables (if I replace -j DROP by -j RETURN in nat and
then replicate the limit check in the filter table, I'm afraid the
latter might not stay synchronized with the one in the nat table).

If the nat table is not allowed to just drop a packet, would it be
possible to have a -j MUSTBEDROPPEDINFILTERTABLE or something of the
sort, which ensures that the filter table will necessarily drop that
packet?  This would be a convenient workaround for the new limitation
(cleaner than, say, redirecting the packet to some absurd port and
then dropping on that port).

Any suggestions?

Happy hacking,

-- 
     David A. Madore
   ( http://www.madore.org/~david/ )

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: workaround for no DROP in table nat ?
  2009-06-15 16:59 workaround for no DROP in table nat ? David Madore
@ 2009-06-15 17:24 ` Vincent Bernat
  2009-06-16  4:29   ` Amos Jeffries
  0 siblings, 1 reply; 4+ messages in thread
From: Vincent Bernat @ 2009-06-15 17:24 UTC (permalink / raw)
  To: David Madore; +Cc: netfilter

OoO Lors de la soirée naissante du lundi 15 juin 2009, vers 18:59, David
Madore <david+ml@madore.org> disait :

> Recent versions of iptables have forbidden the use of DROP in the nat
> table.  I can't understand, however, how one is supposed to work
> around this limitation: is there a howto or some kind of documentation
> somewhere which explains how to deal with this change?

> Suppose my current rules look something like this:

> -t nat -A OUTPUT -p tcp -d somenetwork -m tcp --syn --dport 80 -j CONTROLLED
> -t nat -A CONTROLLED -m limit --limit 10/hour -j RETURN
> -t nat -A CONTROLLED -p tcp -m statistic --mode random --probability 0.1 -j REDIRECT --to-ports 80
> -t nat -A CONTROLLED -j DROP

You can DROP in the mangle table instead.

-t mangle -A OUTPUT -p tcp -d ... -j CONTROLLED
-t mangle -j CONTROLLED -m limit --limit ... -j RETURN
-t mangle -j CONTROLLED -p tcp -m statistic --mode random --probability 0.9 -j DROP
-t mangle -j CONTROLLED -j MARK --set-mark 1
-t nat -A OUTPUT -m mark --mark 1 -j REDIRECT --to-ports 80

You can also  DROP in the raw table,  but I think you cannot  set a mark
here.
-- 
BOFH excuse #381:
Robotic tape changer mistook operator's tie for a backup tape.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: workaround for no DROP in table nat ?
  2009-06-15 17:24 ` Vincent Bernat
@ 2009-06-16  4:29   ` Amos Jeffries
  2009-06-16  7:08     ` Покотиленко Костик
  0 siblings, 1 reply; 4+ messages in thread
From: Amos Jeffries @ 2009-06-16  4:29 UTC (permalink / raw)
  To: Vincent Bernat; +Cc: David Madore, netfilter

On Mon, 15 Jun 2009 19:24:10 +0200, Vincent Bernat <bernat@luffy.cx> wrote:
> OoO Lors de la soirÃ©e naissante du lundi 15 juin 2009, vers 18:59, David
> Madore <david+ml@madore.org> disait :
> 
>> Recent versions of iptables have forbidden the use of DROP in the nat
>> table.  I can't understand, however, how one is supposed to work
>> around this limitation: is there a howto or some kind of documentation
>> somewhere which explains how to deal with this change?
> 
>> Suppose my current rules look something like this:
> 
>> -t nat -A OUTPUT -p tcp -d somenetwork -m tcp --syn --dport 80 -j
>> CONTROLLED
>> -t nat -A CONTROLLED -m limit --limit 10/hour -j RETURN
>> -t nat -A CONTROLLED -p tcp -m statistic --mode random --probability 0.1
>> -j REDIRECT --to-ports 80
>> -t nat -A CONTROLLED -j DROP
> 
> You can DROP in the mangle table instead.
> 
> -t mangle -A OUTPUT -p tcp -d ... -j CONTROLLED
> -t mangle -j CONTROLLED -m limit --limit ... -j RETURN
> -t mangle -j CONTROLLED -p tcp -m statistic --mode random --probability
0.9
> -j DROP
> -t mangle -j CONTROLLED -j MARK --set-mark 1
> -t nat -A OUTPUT -m mark --mark 1 -j REDIRECT --to-ports 80
> 
> You can also  DROP in the raw table,  but I think you cannot  set a mark
> here.

Would this not begin to drop n% packets instead of n% connections? due to
the nat table only receiving NEW packets and mangle receiving all.

I think you may also need to add state NEW to the rule somehow.

AYJ

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: workaround for no DROP in table nat ?
  2009-06-16  4:29   ` Amos Jeffries
@ 2009-06-16  7:08     ` Покотиленко Костик
  0 siblings, 0 replies; 4+ messages in thread
From: Покотиленко Костик @ 2009-06-16  7:08 UTC (permalink / raw)
  To: Amos Jeffries; +Cc: Vincent Bernat, David Madore, netfilter

В Вто, 16/06/2009 в 16:29 +1200, Amos Jeffries пишет:
> On Mon, 15 Jun 2009 19:24:10 +0200, Vincent Bernat <bernat@luffy.cx> wrote:
> > OoO Lors de la soirée naissante du lundi 15 juin 2009, vers 18:59, David
> > Madore <david+ml@madore.org> disait :
> > 
> >> Recent versions of iptables have forbidden the use of DROP in the nat
> >> table.  I can't understand, however, how one is supposed to work
> >> around this limitation: is there a howto or some kind of documentation
> >> somewhere which explains how to deal with this change?
> > 
> >> Suppose my current rules look something like this:
> > 
> >> -t nat -A OUTPUT -p tcp -d somenetwork -m tcp --syn --dport 80 -j
> >> CONTROLLED
> >> -t nat -A CONTROLLED -m limit --limit 10/hour -j RETURN
> >> -t nat -A CONTROLLED -p tcp -m statistic --mode random --probability 0.1
> >> -j REDIRECT --to-ports 80
> >> -t nat -A CONTROLLED -j DROP
> > 
> > You can DROP in the mangle table instead.
> > 
> > -t mangle -A OUTPUT -p tcp -d ... -j CONTROLLED
> > -t mangle -j CONTROLLED -m limit --limit ... -j RETURN
> > -t mangle -j CONTROLLED -p tcp -m statistic --mode random --probability
> 0.9
> > -j DROP
> > -t mangle -j CONTROLLED -j MARK --set-mark 1
> > -t nat -A OUTPUT -m mark --mark 1 -j REDIRECT --to-ports 80
> > 
> > You can also  DROP in the raw table,  but I think you cannot  set a mark
> > here.
> 
> Would this not begin to drop n% packets instead of n% connections? due to
> the nat table only receiving NEW packets and mangle receiving all.
> 
> I think you may also need to add state NEW to the rule somehow.

Anyways, what is the reason for a such big change?

-- 
Покотиленко Костик <casper@meteor.dp.ua>


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2009-06-16  7:08 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-06-15 16:59 workaround for no DROP in table nat ? David Madore
2009-06-15 17:24 ` Vincent Bernat
2009-06-16  4:29   ` Amos Jeffries
2009-06-16  7:08     ` Покотиленко Костик

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox