* DROP
@ 2005-04-18 5:37 Brent Clark
2005-04-18 6:36 ` DROP Taylor Grant
2005-04-18 13:35 ` DROP Jason Opperisano
0 siblings, 2 replies; 6+ messages in thread
From: Brent Clark @ 2005-04-18 5:37 UTC (permalink / raw)
To: iptables
Hi all
I was wondering, if was adviseable to set the default policy for tables
nat and mangle to DROP.
Current in my ruleset I have it as soo.
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy POSTROUTING ACCEPT
The default policy I have as soo:
$IPT --policy INPUT DROP #Setting the default policy for INPUT chain
$IPT --policy FORWARD DROP #Setting the default plicy for FORWARD chain
$IPT --policy OUTPUT DROP #Setting the default policy for the
OUTPUT chain
So do i need to need to go the extra mile and set the default policy for
tables nat and mangle to DROP.
Just something I was thinking.
Kind Regards
Brent Clark
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: DROP
2005-04-18 5:37 DROP Brent Clark
@ 2005-04-18 6:36 ` Taylor Grant
2005-04-18 13:35 ` DROP Jason Opperisano
1 sibling, 0 replies; 6+ messages in thread
From: Taylor Grant @ 2005-04-18 6:36 UTC (permalink / raw)
To: Brent Clark; +Cc: iptables
> I was wondering, if was adviseable to set the default policy for tables
> nat and mangle to DROP.
I don't know if it is advisable or not but it is entirely possible. Just as you explicitly allow traffic in through your filter chains via matching rules you will have to explicitly allow traffic in through your nat / mangle chains respectively too. I've done this in the past and found it somewhat overkill but effective. I don't think traffic in the mangle / nat tables reaches up to the standard TCP/IP, UDP/IP stack for your daemons to accept or drop as in port not advisable if you try to connect to an unknown / not listening service. If you had someone hammering away at a port on your system you could very easily add a rule in either nat:PREROUTING or the respective mangle chains. I do know that when you start firewalling in the nat and mangle table things get a lot more complicated as traffic will pass through one or more chains before it even reaches the filter table (this is esp
ecially true with the mangle table) and thus more complicated. I can't give you a reason
to not do this, other than possibly excessive complexity.
> So do i need to need to go the extra mile and set the default policy for
> tables nat and mangle to DROP.
I don't think I would do it again unless I was excessively paranoid.
Grant. . . .
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: DROP
2005-04-18 5:37 DROP Brent Clark
2005-04-18 6:36 ` DROP Taylor Grant
@ 2005-04-18 13:35 ` Jason Opperisano
2005-04-22 13:54 ` DROP Stephen J. McCracken
2005-04-22 14:34 ` DROP Stephen J. McCracken
1 sibling, 2 replies; 6+ messages in thread
From: Jason Opperisano @ 2005-04-18 13:35 UTC (permalink / raw)
To: netfilter
On Mon, Apr 18, 2005 at 07:37:22AM +0200, Brent Clark wrote:
> Hi all
>
> I was wondering, if was adviseable to set the default policy for tables
> nat and mangle to DROP.
no. *all* packets traverse the filter chains--do your filtering
there.
this question seems to come up every so often, and the idea is
absolutely indefensible, IMHO.
-j
--
"Tom Tucker: And now time for the Ollie weather report.
Ollie: It's gonna rain.
Tom Tucker: Thanks Ollie."
--Family Guy
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: DROP
2005-04-18 13:35 ` DROP Jason Opperisano
@ 2005-04-22 13:54 ` Stephen J. McCracken
2005-04-22 14:28 ` DROP Jason Opperisano
2005-04-22 14:34 ` DROP Stephen J. McCracken
1 sibling, 1 reply; 6+ messages in thread
From: Stephen J. McCracken @ 2005-04-22 13:54 UTC (permalink / raw)
To: Jason Opperisano; +Cc: netfilter
Jason Opperisano wrote:
> On Mon, Apr 18, 2005 at 07:37:22AM +0200, Brent Clark wrote:
>>I was wondering, if was adviseable to set the default policy for tables
>>nat and mangle to DROP.
>
> no. *all* packets traverse the filter chains--do your filtering
> there.
Just to better understand, don't all packets also pass the mangle table
and only the first packet of a connection the nat table?
Thanks for your enlightenment...
sjm
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: DROP
2005-04-22 13:54 ` DROP Stephen J. McCracken
@ 2005-04-22 14:28 ` Jason Opperisano
0 siblings, 0 replies; 6+ messages in thread
From: Jason Opperisano @ 2005-04-22 14:28 UTC (permalink / raw)
To: netfilter
On Fri, Apr 22, 2005 at 08:54:05AM -0500, Stephen J. McCracken wrote:
> Jason Opperisano wrote:
> >On Mon, Apr 18, 2005 at 07:37:22AM +0200, Brent Clark wrote:
>
> >>I was wondering, if was adviseable to set the default policy for tables
> >>nat and mangle to DROP.
> >
> >no. *all* packets traverse the filter chains--do your filtering
> >there.
>
> Just to better understand, don't all packets also pass the mangle table
> and only the first packet of a connection the nat table?
yes--all packets will traverse mangle, and --state NEW packets traverse
nat.
there's nothing wrong with doing some pre-filter scrubbing of absolute
stupidity in mangle, but the filter table is there for a reason
(filtering).
-j
--
"Bad Cockroach: Man, I'm going to cut you up so bad, that you... you
gonna wish I didn't cut you up so bad."
--Family Guy
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: DROP
2005-04-18 13:35 ` DROP Jason Opperisano
2005-04-22 13:54 ` DROP Stephen J. McCracken
@ 2005-04-22 14:34 ` Stephen J. McCracken
1 sibling, 0 replies; 6+ messages in thread
From: Stephen J. McCracken @ 2005-04-22 14:34 UTC (permalink / raw)
To: Jason Opperisano; +Cc: netfilter
Jason Opperisano wrote:
> On Mon, Apr 18, 2005 at 07:37:22AM +0200, Brent Clark wrote:
>>I was wondering, if was adviseable to set the default policy for tables
>>nat and mangle to DROP.
>
> no. *all* packets traverse the filter chains--do your filtering
> there.
Just to better understand, don't all packets also pass the mangle table
and only the first packet of a connection the nat table?
Thanks for your enlightenment...
sjm
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-04-22 14:34 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-18 5:37 DROP Brent Clark
2005-04-18 6:36 ` DROP Taylor Grant
2005-04-18 13:35 ` DROP Jason Opperisano
2005-04-22 13:54 ` DROP Stephen J. McCracken
2005-04-22 14:28 ` DROP Jason Opperisano
2005-04-22 14:34 ` DROP Stephen J. McCracken
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox