how to ignore forwarded traffic?

how to ignore forwarded traffic?

[Sven Köhler]

Hi,

consider the following example:
you have a router between two networks, and you want to cut off the
router from the outside world using some iptables rules. However, all
traffic that is forwarded by the router between the two networks
basically is to be ignored by iptables (i.e., the router does not play
firewall for any of the two networks).

Currently, if conntrack is loaded on the router, then conntrack -L on
the router lists all the connections, not only those to and from the
router, but also all connections between the two. Certainly, it takes
some CPU cycles for the router to keep track of all the connections.
Also, the number of connections that conntrack can take of is limited.

So is there a way to let Linux "bypass" conntrack and maybe other
netfilter stuff when it comes to forwarded packets?


Kind Regards,
  Sven

Re: how to ignore forwarded traffic?

[Anton 'EvilMan' Danilov]

Hi, Sven.

You can disable conntrack at all by removing of the module.
Also you can disable conntrack only for specifyed connections with CT
target (--notrack option).


2014-04-21 5:22 GMT+04:00 Sven Köhler <sven.koehler@gmail.com>:
> Hi,
>
> consider the following example:
> you have a router between two networks, and you want to cut off the
> router from the outside world using some iptables rules. However, all
> traffic that is forwarded by the router between the two networks
> basically is to be ignored by iptables (i.e., the router does not play
> firewall for any of the two networks).
>
> Currently, if conntrack is loaded on the router, then conntrack -L on
> the router lists all the connections, not only those to and from the
> router, but also all connections between the two. Certainly, it takes
> some CPU cycles for the router to keep track of all the connections.
> Also, the number of connections that conntrack can take of is limited.
>
> So is there a way to let Linux "bypass" conntrack and maybe other
> netfilter stuff when it comes to forwarded packets?
>
>
> Kind Regards,
>   Sven
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Anton.

Re: how to ignore forwarded traffic?

[Sven Köhler]

Am 21.04.2014 11:38, schrieb Anton 'EvilMan' Danilov:
> Hi, Sven.
> 
> You can disable conntrack at all by removing of the module.

Assume, the firewall protecting the router is stateful (i.e., it uses
conntrack).

> Also you can disable conntrack only for specifyed connections with CT
> target (--notrack option).

I know have the following three rules:

iptables -t raw -A PREROUTING -d <router-ip> -j CT
iptables -t raw -A PREROUTING -s <router-ip> -j CT
iptables -t raw -A PREROUTING -j CT --notrack

So any traffic directed at the router or coming from the router should
be conntracked while all other traffic is not.
Note, that I don't have any rules in the OUTPUT chain of the raw table,
as it seems to me that the default (connections are conntracked) is fine.

Do the above rules seem OK to you?


Regards,
  Sven

Re: how to ignore forwarded traffic?

[Sven Köhler]

Am 21.04.2014 17:56, schrieb Sven Köhler:
> I know have the following three rules:
> 
> iptables -t raw -A PREROUTING -d <router-ip> -j CT
> iptables -t raw -A PREROUTING -s <router-ip> -j CT
> iptables -t raw -A PREROUTING -j CT --notrack

Correction:
iptables -t raw -A PREROUTING -d <router-ip1> -j CT
iptables -t raw -A PREROUTING -d <router-ip2> -j CT
iptables -t raw -A PREROUTING -j CT --notrack
(again no rules in the OUTPUT chain of the raw table)

Re: how to ignore forwarded traffic?

[Anton 'EvilMan' Danilov]

Hello, Sven.

Seems like OK, but you should add
  iptables -t raw -A OUTPUT -j CT --notrack
to prevent of tracking of the local originated traffic.

2014-04-21 19:45 GMT+04:00 Sven Köhler <sven.koehler@gmail.com>:
> Am 21.04.2014 17:56, schrieb Sven Köhler:
>> I know have the following three rules:
>>
>> iptables -t raw -A PREROUTING -d <router-ip> -j CT
>> iptables -t raw -A PREROUTING -s <router-ip> -j CT
>> iptables -t raw -A PREROUTING -j CT --notrack
>
> Correction:
> iptables -t raw -A PREROUTING -d <router-ip1> -j CT
> iptables -t raw -A PREROUTING -d <router-ip2> -j CT
> iptables -t raw -A PREROUTING -j CT --notrack
> (again no rules in the OUTPUT chain of the raw table)



-- 
Anton.